Simatic: Easy Book

Easy Book Preface
Introducing the powerful and

flexible S7-1200 1
STEP 7 makes the work
2
SIMATIC easy
Getting started 3
PLC concepts made easy 4

Easy to create the device
configuration 5
Programming made easy 6

Easy to communicate
between devices 7
1
Preface
Welcome to the world of S7-1200. The SIMATIC S7-1200 compact controller is the modular,
space-saving controller for small automation systems that require either simple or advanced
functionality for logic, HMI and networking. The compact design, low cost, and powerful
features make the S7-1200 a perfect solution for controlling small applications.
As part of the SIMATIC commitment to "totally integrated automation" (TIA), the S7-1200
product family and the TIA Portal programming software give you the flexibility you need to
solve your automation needs.
The S7-1200 helps to make the most challenging tasks easy!
The SIMATIC S7-1200 controller solution, designed for the "compact" controller class, is
comprised of the SIMATIC S7-1200 controller and SIMATIC HMI Basic panels that can both
be programmed with the TIA Portal engineering software. The ability to program both
devices using the same engineering software significantly reduces development costs. The
TIA Portal includes STEP 7 for S7-1200 programming and WinCC for designing Basic panel
projects.
The S7-1200 compact controller includes:

• Built-in PROFINET
• High-speed I/O capable of motion control, onboard
analog inputs to minimize space requirements and
the need for additional I/O, 4 pulse generators for
pulse-train and pulse-width applications (Page 70),
and up to 6 high-speed counters (Page 129)
• On-board I/O points built into the CPU modules
provide from 6 to 14 input points and from 4 to 10
output points.
Signal modules for DC, relay, or analog I/O
expand the number of I/O points, and inno-
vative signal boards snap onto the front of
the CPU to provide additional I/O (Page 18).
The SIMATIC HMI Basic panels (Page 20)
were designed specifically for the S7-1200.
This Easy Book provides an introduction to
the S7-1200 PLC. The following pages offer
an overview of the many features and capa-
bilities of the devices.
For additional information, refer to the S7-1200 Programmable Controller System Manual.
For information about UL and FM certification, CE labeling, C-Tick and other standards, refer
to the Technical specifications (Page 361).
2
Preface
This manual describes the following products:

● STEP 7 V13 SP1 Basic and Professional
● S7-1200 CPU firmware release V4.1
Documentation and information

S7-1200 and STEP 7 provide a variety of documentation and other resources for finding the
technical information that you require.
● The S7-1200 Programmable Controller System Manual provides specific information
about the operation, programming, and the specifications for the complete S7-1200
product family. In addition to the system manual, the S7-1200 Easy Book provides a
more general overview to the capabilities of the S7-1200 family.
Both the system manual and the Easy Book are available as electronic (PDF) manuals.
The electronic manuals can be downloaded from the customer support web site and can
also be found on the documentation disk that ships with every S7-1200 CPU.
● The online STEP 7 information system provides immediate access to the conceptual
information and specific instructions that describe the operation and functionality of the
programming package and basic operation of SIMATIC CPUs.
● My Documentation Manager accesses the electronic (PDF) versions of the SIMATIC
documentation set, including the system manual, the Easy Book, and the STEP 7
information system. With My Documentation Manager, you can drag and drop topics from
various documents to create your own custom manual.
The customer support entry portal (http://support.automation.siemens.com) provides a
link to My Documentation Manager under mySupport.
● The customer support web site also provides podcasts, FAQs, and other helpful
documents for S7-1200 and STEP 7. The podcasts utilize short educational video
presentations that focus on specific features or scenarios in order to demonstrate the
interactions, convenience, and efficiency provided by STEP 7. Visit the following web
sites to access the collection of podcasts:
– STEP 7 Basic web page (http://www.automation.siemens.com/mcms/simatic-
controller-software/en/step7/step7-basic/Pages/Default.aspx)
– STEP 7 Professional web page (http://www.automation.siemens.com/mcms/simatic-
controller-software/en/step7/step7-professional/Pages/Default.aspx)
● You can also follow or join product discussions on the Service & Support technical forum
(https://www.automation.siemens.com/WW/forum/guests/Conferences.aspx?Language=e
n&siteid=csius&treeLang=en&groupid=4000002&extranet=standard&viewreg=WW&nodei
d0=34612486). These forums allow you to interact with various product experts.
– Forum for S7-1200
(https://www.automation.siemens.com/WW/forum/guests/Conference.aspx?SortField=
LastPostDate&SortOrder=Descending&ForumID=258&Language=en&onlyInternet=Fa
lse)
– Forum for STEP 7 Basic
(https://www.automation.siemens.com/WW/forum/guests/Conference.aspx?SortField=
LastPostDate&SortOrder=Descending&ForumID=265&Language=en&onlyInternet=Fa
lse)
3
Preface
Service and support

In addition to our documentation, Siemens offers technical expertise on the Internet and on
the customer support web site (http://www.siemens.com/tiaportal).
Contact your Siemens distributor or sales office for assistance in answering any technical
questions, for training, or for ordering S7 products. Because your sales representatives are
technically trained and have the most specific knowledge about your operations, process
and industry, as well as about the individual Siemens products that you are using, they can
provide the fastest and most efficient answers to any problems you might encounter.
Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, solutions, machines, equipment and/or networks. They are
important components in a holistic industrial security concept. With this in mind, Siemens’
products and solutions undergo continuous development. Siemens recommends strongly
that you regularly check for product updates.
For the secure operation of Siemens products and solutions, it is necessary to take suitable
preventive action (e.g. cell protection concept) and integrate each component into a holistic,
state-of-the-art industrial security concept. Third-party products that may be in use should
also be considered. You can find more information about industrial security on the Internet
(http://www.siemens.com/industrialsecurity).
To stay informed about product updates as they occur, sign up for a product-specific
newsletter. You can find more information on the Internet
(http://support.automation.siemens.com).
4
Preface
5
Table of contents
Preface ................................................................................................................................................... 3
1 Introducing the powerful and flexible S7-1200 ....................................................................................... 15
1.1 Introducing the S7-1200 PLC .................................................................................................15
1.2 Expansion capability of the CPU ............................................................................................18
1.3 S7-1200 modules ....................................................................................................................19
1.4 Basic HMI panels ....................................................................................................................20
1.5 Mounting dimensions and clearance requirements ................................................................21
1.6 New features ...........................................................................................................................26
2 STEP 7 makes the work easy ............................................................................................................... 29
2.1 Easy to insert instructions into your user program .................................................................30
2.2 Easy access to your favorite instructions from a toolbar ........................................................30
2.3 Easy to add inputs or outputs to LAD and FBD instructions...................................................31
2.4 Expandable instructions ..........................................................................................................31
2.5 Easy to change the operating mode of the CPU ....................................................................32
2.6 Easy to modify the appearance and configuration of STEP 7 ................................................32
2.7 Project and global libraries for easy access ...........................................................................33
2.8 Easy to select a version of an instruction ...............................................................................33
2.9 Easy to drag and drop between editors ..................................................................................34
2.10 Changing the call type for a DB ..............................................................................................35
2.11 Temporarily disconnecting devices from a network ................................................................36
2.12 Easy to virtually "unplug" modules without losing the configuration .......................................37
3 Getting started ...................................................................................................................................... 39
3.1 Create a project ......................................................................................................................39
3.2 Create tags for the I/O of the CPU ..........................................................................................40
3.3 Create a simple network in your user program .......................................................................42
3.4 Use the PLC tags in the tag table for addressing the instructions ..........................................44
3.5 Add a "box" instruction ............................................................................................................45
3.6 Use the CALCULATE instruction for a complex mathematical equation ................................46
3.7 Add an HMI device to the project ............................................................................................48
3.8 Create a network connection between the CPU and HMI device ..........................................49
3.9 Create an HMI connection to share tags ................................................................................49
6
Table of contents
3.10 Create an HMI screen ............................................................................................................ 50

3.11 Select a PLC tag for the HMI element ................................................................................... 51
4 PLC concepts made easy ..................................................................................................................... 53
4.1 Tasks performed every scan cycle ........................................................................................ 53
4.2 Operating modes of the CPU ................................................................................................. 55
4.3 Execution of the user program ............................................................................................... 56
4.3.1 Processing the scan cycle in RUN mode ............................................................................... 56
4.3.2 OBs help you structure your user program ............................................................................ 57
4.3.3 Event execution priorities and queuing .................................................................................. 58
4.4 Memory areas, addressing and data types ............................................................................ 61
4.4.1 Data types supported by the S7-1200 ................................................................................... 62
4.4.2 Addressing memory areas ..................................................................................................... 64
4.4.3 Accessing a "slice" of a tagged data type .............................................................................. 67
4.4.4 Accessing a tag with an AT overlay ....................................................................................... 68
4.5 Pulse outputs ......................................................................................................................... 70
5 Easy to create the device configuration ................................................................................................. 73
5.1 Uploading the configuration of a connected CPU .................................................................. 74
5.2 Adding a CPU to the configuration......................................................................................... 76
5.3 Changing a device ................................................................................................................. 77
5.4 Adding modules to the configuration ..................................................................................... 78
5.5 Configuration control .............................................................................................................. 79
5.6 Configuring the operation of the CPU and modules .............................................................. 80
5.6.1 System memory and clock memory provide standard functionality ....................................... 82
5.7 Configuring the IP address of the CPU .................................................................................. 85
5.8 Protecting access to the CPU or code block is easy ............................................................. 87
5.8.1 Know-how protection ............................................................................................................. 89
5.8.2 Copy protection ...................................................................................................................... 90
6 Programming made easy ...................................................................................................................... 93
6.1 Easy to design your user program ......................................................................................... 93
6.1.1 Use OBs for organizing your user program ........................................................................... 95
6.1.2 FBs and FCs make programming the modular tasks easy .................................................... 97
6.1.3 Data blocks provide easy storage for program data .............................................................. 98
6.1.4 Creating a new code block ..................................................................................................... 99
6.1.5 Creating reusable code blocks............................................................................................. 100
6.1.6 Calling a code block from another code block ..................................................................... 101
6.2 Easy-to-use programming languages .................................................................................. 101
6.2.1 Ladder logic (LAD) ............................................................................................................... 102
6.2.2 Function Block Diagram (FBD) ............................................................................................ 103
6.2.3 SCL overview ....................................................................................................................... 103
6.2.4 SCL program editor .............................................................................................................. 104
6.3 Powerful instructions make programming easy ................................................................... 105
6.3.1 Providing the basic instructions you expect ......................................................................... 105
7
Table of contents
6.3.2 Comparator and Move instructions .......................................................................................108

6.3.3 Conversion operations ..........................................................................................................109
6.3.4 Math made easy with the Calculate instruction ....................................................................111
6.3.5 Timer operations ...................................................................................................................113
6.3.6 Counter operations ...............................................................................................................118
6.3.7 Pulse-width modulation (PWM) ............................................................................................121
6.4 Easy to create data logs .......................................................................................................122
6.5 Easy to monitor and test your user program ........................................................................124
6.5.1 Watch tables and force tables ..............................................................................................124
6.5.2 Cross reference to show usage ............................................................................................125
6.5.3 Call structure to examine the calling hierarchy .....................................................................126
6.5.4 Diagnostic instructions to monitor the hardware ...................................................................127
6.5.4.1 Reading the states of the LEDs on the CPU ........................................................................127
6.5.4.2 Instructions for reading the diagnostic status of the devices ................................................128
6.6 High-speed counter (HSC) ...................................................................................................129
6.6.1 Operation of the high-speed counter ....................................................................................131
6.6.2 Configuration of the HSC ......................................................................................................137
7 Easy to communicate between devices ............................................................................................... 139
7.1 Creating a network connection .............................................................................................140
7.2 Communication options ........................................................................................................141
7.3 V4.1 asynchronous communication connections .................................................................143
7.4 PROFINET and PROFIBUS instructions ..............................................................................146
7.5 PROFINET ............................................................................................................................147
7.5.1 Open user communication ....................................................................................................147
7.5.1.1 Ad hoc mode .........................................................................................................................148
7.5.1.2 Connection IDs for the Open user communication instructions ...........................................148
7.5.1.3 Parameters for the PROFINET connection ..........................................................................152
7.5.2 Configuring the Local/Partner connection path ....................................................................154
7.6 PROFIBUS ............................................................................................................................157
7.6.1 Communications services of the PROFIBUS CMs ...............................................................158
7.6.2 Reference to the PROFIBUS CM user manuals ..................................................................159
7.6.3 Adding the CM 1243-5 (DP master) module and a DP slave ...............................................160
7.6.4 Assigning PROFIBUS addresses to the CM 1243-5 module and DP slave .........................161
7.7 AS-i .......................................................................................................................................163
7.7.1 Adding the AS-i master CM 1243-2 and AS-i slave ..............................................................164
7.7.2 Assigning an AS-i address to an AS-i slave .........................................................................165
7.8 S7 communication ................................................................................................................168
7.8.1 GET and PUT instructions ....................................................................................................168
7.8.2 Creating an S7 connection ...................................................................................................169
7.8.3 GET/PUT connection parameter assignment .......................................................................170
7.9 GPRS ....................................................................................................................................171
7.9.1 Connection to a GSM network ..............................................................................................171
7.9.2 Applications of the CP 1242-7 ..............................................................................................173
7.9.3 Other properties of the CP-1242-7 .......................................................................................174
7.9.4 Configuration and electrical connections ..............................................................................175
7.9.5 Further information................................................................................................................175 8
Table of contents
7.9.6 Accessories .......................................................................................................................... 176

7.9.7 Reference to GSM antenna manual .................................................................................... 177
7.9.8 Configuration examples for telecontrol ................................................................................ 177
7.10 PtP, USS, and Modbus communication protocols ............................................................... 182
7.10.1 Point-to-point communication .............................................................................................. 182
7.10.2 Using the serial communication interfaces .......................................................................... 184
7.10.3 PtP instructions .................................................................................................................... 185
7.10.4 USS instructions................................................................................................................... 186
7.10.5 Modbus instructions ............................................................................................................. 188
9
Table of contents
10
Introducing the powerful and flexible S7-1200 1
1.1 Introducing the S7-1200 PLC
The S7-1200 controller provides the flexibility and power to control a wide variety of devices
in support of your automation needs. The compact design, flexible configuration, and
powerful instruction set combine to make the S7-1200 a perfect solution for controlling a
wide variety of applications.
The CPU combines a microprocessor, an integrated power supply, input and output circuits,
built-in PROFINET, high-speed motion control I/O, and on-board analog inputs in a compact
housing to create a powerful controller. After you download your program, the CPU contains
the logic required to monitor and control the devices in your application. The CPU monitors
the inputs and changes the outputs according to the logic of your user program, which can
include Boolean logic, counting, timing, complex math operations, and communications with
other intelligent devices.
The CPU provides a PROFINET port for communication over a PROFINET network.
Additional modules are available for communicating over PROFIBUS, GPRS, RS485,
RS232, IEC, DNP3, and WDC networks.
① Power connector
② Memory card slot under top
door
③ Removable user wiring con-
nectors (behind the doors)
④ Status LEDs for the on-
board I/O
⑤ PROFINET connector (on
the bottom of the CPU)
Several security features help protect access to both the CPU and the control program:
● Every CPU provides password protection (Page 87) that allows you to configure access
to the CPU functions.
● You can use "know-how protection" (Page 89) to hide the code within a specific block.
● You can use copy protection (Page 90) to bind your program to a specific memory card or
CPU.
11
Introducing the powerful and flexible S7-1200
Table 1- 1 Comparing the CPU models
Feature CPU 1211C CPU 1212C CPU 1214C CPU 1215C CPU 1217C
Physical size (mm) 90 x 100 x 75 110 x 100 x 75 130 x 100 x 75 150 x 100 x 75
User memory Work 50 Kbytes 75 Kbytes 100 Kbytes 125 Kbytes 150 Kbytes
Load 1 Mbyte 4 Mbytes
Retentive 10 Kbytes
Local on-board I/O Digital 6 inputs/4 out- 8 inputs/6 out- 14 inputs/10 output
puts puts
Analog 2 inputs 2 inputs/2 output
Process image size Inputs (I) 1024 bytes
Outputs (Q) 1024 bytes
Bit memory (M) 4096 bytes 8192 bytes
Signal module (SM) expansion None 2 8
Signal board (SB), Battery board 1
(BB), or communication board
(CB)
Communication module (CM) 3
(left-side expansion)
High-speed coun- Total Up to 6 configured to use any built-in or SB inputs
ters 1 MHz - Ib.2 to Ib.5
100/180 Ia.0 to Ia.5
kHz
30/120 kHz -- Ia.6 to Ia.7 Ia.6 to Ib.5 Ia.6 to Ib.1
200 kHz3
Pulse outputs2 Total Up to 4 configured to use any built-in or SB outputs
1 MHz -- Qa.0 to Qa.3
100 kHz Qa.0 to Qa.3 Qa.4 to Qb.1
20 kHz -- Qa.4 to Qa.5 Qa.4 to Qb. --
Memory card SIMATIC Memory card (optional)
Real time clock retention time 20 days, typ./12 day min. at 40 degrees C (maintenance-free Super Capacitor)
PROFINET 1 2
Ethernet communication port
Real math execution speed 2.3 μs/instruction
Boolean execution speed 0.08 μs/instruction
1 The slower speed is applicable when the HSC is configured for quadrature mode of operation.
2 For CPU models with relay outputs, you must install a digital signal (SB) to use the pulse outputs.
3 Up to 200 kHz are available with the SB 1221 DI x 24 VDC 200 kHz and SB 1221 DI 4 x 5 VDC 200 kHz.
The different CPU models provide a diversity of features and capabilities that help you create
effective solutions for your varied applications. For detailed information about a specific
CPU, see the technical specifications (Page 361).
12
Table 1- 2 Blocks, timers, and counters supported by S7-1200
Element Description
Blocks Type OB, FB, FC, DB
Size 50 Kbytes (CPU 1211C)
75 Kbytes (CPU 1212C)
Quantity Up to 1024 blocks total (OBs + FBs + FCs + DBs)
Nesting depth 16 from the program cycle or startup OB;
6 from any interrupt event OB
Monitoring Status of 2 code blocks can be monitored simultaneously
OBs Program cycle Multiple
Startup Multiple
Time-delay interrupts 4 (1 per event)
Cyclic interrupts 4 (1 per event)
Hardware interrupts 50 (1 per event)
Time error interrupts 1
Diagnostic error interrupts 1
Pull or plug of modules 1
Rack or station failure 1
Time of day Multiple
Status 1
Update 1
Profile 1
Timers Type IEC
Quantity Limited only by memory size
Storage Structure in DB, 16 bytes per timer
Counters Type IEC
Quantity Limited only by memory size
Storage Structure in DB, size dependent upon count type
• SInt, USInt: 3 bytes
• Int, UInt: 6 bytes
• DInt, UDInt: 12 bytes
13
1.2 Expansion capability of the CPU
1.2 Expansion capability of the CPU

The S7-1200 family provides a variety of modules and plug-in boards for expanding the
capabilities of the CPU with additional I/O or other communication protocols. For detailed
information about a specific module, see the technical specifications (Page 361).
① Communication module (CM) or communication processor (CP)

② CPU (CPU 1211C, CPU 1212C, CPU 1214C, CPU 1215C, CPU 1217C)
③ Signal board (SB) (digital SB, analog SB), communication board (CB), or Battery Board (BB)
CPU (CPU 1211C, CPU 1212C, CPU 1214C, CPU 1215C, CPU 1217C)
④ Signal module (SM) (digital SM, analog SM, thermocouple SM, RTD SM, technology SM)
14
1.3 S7-1200 modules
1.3 S7-1200 modules
Table 1- 3 S7-1200 expansion modules
Type of module Description

The CPU supports one plug-in expansion
board:
• A signal board (SB) provides additional
I/O for your CPU. The SB connects on
the front of the CPU.
• A communication board (CB) allows
you to add another communication port
to your CPU.
• A battery board (BB) allows you to
provide long term backup of the
realtime clock.
① Status LEDs on the SB

② Removable user wiring connector
Signal modules (SMs) add additional func-
tionality to the CPU. SMs connect to the
right side of the CPU.
• Digital I/O
• Analog I/O
• RTD and thermocouple
• SM 1278 IO-Link Master
① Status LEDs
② Bus connector slide tab
③ Removable user wiring connector
Communication modules (CMs) and
communications processors (CPs) add
communication options to the CPU, such
as for PROFIBUS or RS232/RS485 con-
nectivity (for PtP, Modbus or USS), or the
AS-i master.
A CP provides capabilities for other types
of communication, such as connecting to
the CPU over a GPRS, IEC, DNP3, or
WDC network.
• The CPU supports up to three CMs or
CPs
15
1.4 Basic HMI panels
Type of module Description

• Each CM or CP connects to the left ① Status LEDs
side of the CPU (or to the left side of
another CM or CP) ② Communication connector
1.4 Basic HMI panels

The SIMATIC HMI Basic Panels provide touch-screen devices for basic operator control and
monitoring tasks. All panels have a protection rating for IP65 and have CE, UL, cULus, and
NEMA 4x certification.
The available Basic HMI panels are described below:
● KTP400 Basic: 4" Touch screen with 4 configurable keys, a resolution of 480 x 272 and
800 tags
800 tags
● KTP700 Basic DP: 7" Touch screen with 8 configurable keys, a resolution of 800 x 480
and 800 tags
800 tags
● KTP1200 Basic: 12" Touch screen with 10 configurable keys, a resolution of 800 x 480
and 800 tags
● KTP 1200 Basic DP: 12 Touch screen with 10 configurable keys, a resolution of 800 x
400 and 800 tags
16
1.5 Mounting dimensions and clearance requirements

The S7-1200 PLC is designed to be easy to install. Whether mounted on a panel or on a
standard DIN rail, the compact size makes efficient use of space.
Refer to the S7-1200 Programmable Controller System Manual for specific requirements and
guidelines for installation.
17
Table 1- 4 Mounting dimensions (mm)
S7-1200 Devices Width A Width B Width C

(mm) (mm) (mm)
CPU CPU 1211C and CPU 1212C 90 45 --
CPU 1214C 110 55 --
CPU 1215C 130 65 (top) Bottom:
C1: 32.5
C2: 65
C3: 32.5
CPU 1217C 150 75 Bottom:
C1: 37.5
C2: 75
C3: 37.5
Signal modules Digital 8 and 16 point 45 22.5 --
Analog 2, 4, and 8 point
Thermocouple 4 and 8 point
RTD 4 point
SM 1278 IO Link-Master
Digital DQ 8 x Relay (Changeover) 70 35 --
Analog 16 point 70 35 --
RTD 8 point
Communication CM 1241 RS232, and 30 15 --
interfaces CM 1241 RS422/485
CM 1243-5 PROFIBUS master and
CM 1242-5 PROFIBUS slave
CM 1242-2 AS-i Master
CP 1242-7 GPRS V2
CP 1243-7 LTE-EU
CP 1243-1 DNP3
CP 1243-1 IEC
CP 1243-1
CP1243-1 PCC
CP 1243-8 ST7
RF120C
TS (TeleService) Adapter IE Advanced 1
TS (Teleservice) Adapter IE Basic 1
TS Adapter 30 15 --
TS Module 30 15 --
1 Before installing the TS (TeleService) Adapter IE Advanced or IE Basic, you must first connect the
TS Adapter and a TS module. The total width ("width A") is 60 mm.
Each CPU, SM, CM, and CP supports mounting on either a DIN rail or on a panel. Use the
DIN rail clips on the module to secure the device on the rail. These clips also snap into an
extended position to provide screw mounting positions to mount the unit directly on a panel.
The interior dimension of the hole for the DIN clips on the device is 4.3 mm.
18
A 25 mm thermal zone must be provided above and below the unit for free air circulation.
The S7-1200 equipment is designed to be easy to install. You can install an S7-1200 either
on a panel or on a standard rail, and you can orient the S7-1200 either horizontally or
vertically. The small size of the S7-1200 allows you to make efficient use of space.
The S7-1200 fail-safe CPUs do not support PROFIBUS or PROFINET distributed fail-safe
I/O.
Electrical equipment standards classify the SIMATIC S7-1200 system as Open Equipment.
You must install the S7-1200 in a housing, cabinet, or electric control room. You should limit
entry to the housing, cabinet, or electric control room to authorized personnel.
The installation should provide a dry environment for the S7-1200. SELV/PELV circuits are
considered to provide protection against electric shock in dry locations.
The installation should provide mechanical and environmental protection that is approved for
open equipment in your particular location category according to applicable electrical and
building codes.
Conductive contamination due to dust, moisture, and airborne pollution can cause
operational and electrical faults in the PLC.
If you locate the PLC in an area where conductive contamination may be present, the PLC
must be protected by an enclosure with appropriate protection rating. IP54 is one rating that
is generally used for electronic equipment enclosures in dirty environments and may be
appropriate for your application.
WARNING
Improper installation of the S7-1200 can result in electrical faults or unexpected operation
of machinery.
Electrical faults or unexpected machine operation can result in death, severe personal
injury, and/or property damage.
All instructions for installation and maintenance of a proper operating environment must be
followed to ensure the equipment operates safely.
Separate the S7-1200 devices from heat, high voltage, and electrical noise
As a general rule for laying out the devices of your system, always separate the devices that
generate high voltage and high electrical noise from the low-voltage, logic-type devices such
as the S7-1200.
When configuring the layout of the S7-1200 inside your panel, consider the heat-generating
devices and locate the electronic-type devices in the cooler areas of your cabinet. Reducing
the exposure to a high-temperature environment will extend the operating life of any
electronic device.
Consider also the routing of the wiring for the devices in the panel. Avoid placing low-voltage
signal wires and communications cables in the same tray with AC power wiring and high-
energy, rapidly-switched DC wiring.
19
Provide adequate clearance for cooling and wiring

S7-1200 devices are designed for natural convection cooling. For proper cooling, you must
provide a clearance of at least 25 mm above and below the devices. Also, allow at least 25
mm of depth between the front of the modules and the inside of the enclosure.
CAUTION
For vertical mounting, the maximum allowable ambient temperature is reduced by 10
degrees C.
Orient a vertically mounted S7-1200 system as shown in the following figure.
Ensure that the S7-1200 system is mounted correctly.
When planning your layout for the S7-1200 system, allow enough clearance for the wiring
and communications cable connections.
① Side view ③ Vertical installation

② Horizontal installation ④ Clearance area
20
WARNING
Installation or removal of S7-1200 or related equipment with the power applied could cause
electric shock or unexpected operation of equipment.
Failure to disable all power to the S7-1200 and related equipment during installation or
removal procedures could result in death, severe personal injury and/or property damage
due to electric shock or unexpected equipment operation.
Always follow appropriate safety precautions and ensure that power to the S7-1200 is
disabled before attempting to install or remove S7-1200 CPUs or related equipment.
Always ensure that whenever you replace or install an S7-1200 device you use the correct
module or equivalent device.
WARNING
Incorrect installation of an S7-1200 module may cause the program in the S7-1200 to
function unpredictably.
Failure to replace an S7-1200 device with the same model, orientation, or order could result
in death, severe personal injury and/or property damage due to unexpected equipment
operation.
Replace an S7-1200 device with the same model, and be sure to orient and position it
correctly.
21
1.6 New features
1.6 New features

The following features are new in this release:
● You can now implement functional safety, using the hardware and firmware of the S7-
1200 fail-safe CPUs and signal modules (SM) in conjunction with the safety program
downloaded by the software (ES). Refer to the S7-1200 Functional Safety Manual
(http://support.automation.siemens.com/WW/view/en/104547552)for further information.
● Simulation of S7-1200 CPUs with firmware version V4.0 and higher: S7-PLCSIM
V13 SP1 enables you to test your PLC programs on a simulated PLC without requiring
actual hardware. S7-PLCSIM is a separately installed application that operates in
conjunction with STEP 7 in the TIA Portal. You can configure your PLC and any
associated modules in STEP 7, program your application logic, and then download the
hardware configuration and program to S7-PLCSIM. You can then use the tools of
S7-PLCSIM to simulate and test your program. Refer to the online help for S7-PLCSIM
for complete documentation. Note that you cannot simulate fail-safe CPUs.
● Configuration control (option handling) (Page 79): You can configure the hardware for a
maximum machine configuration including modules that you might not actually use during
operation. The configuration and designation of these flexible modules is new with this
release of STEP 7 and the S7-1200. Modules that you so designate will not cause error
conditions if they are absent.
● The Web server (Page 253) now supports access through the IP address of selected
(communications processor) modules in the local rack as well as through the IP address
of the S7-1200 CPU.
● Enhanced motion functionality:
– Analog and PROFIdrive connections
– Modulo and control loop extended parameters
● Period measurement using High-speed counters (HSC) (Page 129)
● Performance improvements to the SCL compiler
● Dynamic copy protection (Page 90) binding of program blocks with a mandatory
password
● Enhanced PROFINET functionality, including support for shared devices.
22
1.6 New features
● New programming instructions:

– EQ_Type, NE_Type, EQ_ElemType, NE_ElemType
– IS_NULL, NOT_NULL
– IS_ARRAY
– Deserialize, Serialize
– VariantGet, VariantPut, CountOfElements
– Variant_to_DB_Any, DB_Any_To_Variant
– GET_IM_DATA
– RUNTIME
– GEO2LOG, IO2MOD
– ReadLittle, WriteLittle, ReadBig, WriteBig (SCL only)
– T_RESET, T_DIAG, and TMAIL_C
– PID_Temp
– New Modbus instructions (Page 188)
– New Point-to-point (PtP) instructions (Page 185)
– New USS instructions (Page 186)
New modules for the S7-1200

New modules expand the power of the S7-1200 CPU and provide the flexibility to meet your
automation needs:
● Industrial remote control communication modules: You can use these CPs as
communication modules with the S7-1200 V4.1 CPU.
● Fail-safe CPUs and I/O: There are four fail-safe CPUs and three fail-safe signal modules
(SM) in conjunction with the S7-1200 V4.1 or later release:
– CPU 1214FC DC/DC/DC (6ES7 214-1AF40-0XB0)
– CPU 1214FC DC/DC/RLY (6ES7 214-1HF40-0XB0)
– CPU 1215FC DC/DC/DC (6ES7 215-1AF40-0XB0)
– CPU 1215FC DC/DC/RLY (6ES7 215-1HF40-0XB0)
– SM 1226 F-DI 16 x 24 VDC (6ES7 226-6BA32-0XB0)
– SM 1226 F-DQ 4 x 24 VDC (6ES7 226-6DA32-0XB0)
– SM 1226 F-DQ 2 x Relay (6ES7 226-6RA32-0XB0)
You can use the S7-1200 standard signal modules (SM), communication modules (CM),
and signal boards (SB) in the same system with fail-safe SMs to complete your
application control functions that do not require a functional safety rating. Standard SMs
that are supported for use with fail-safe SMs have the article numbers (6ES7 --- ---32
0XB0) or later.
23
1.6 New features
Exchanging your V3.0 CPU for a V4.1 CPU

If you are replacing an S7-1200 V3.0 CPU with an S7-1200 V4.1 CPU, take note of the
documented differences (Page 433) in the versions and the required user actions.
24
STEP 7 makes the work easy 2
STEP 7 provides a user-friendly environment to develop controller logic, configure HMI
visualization, and setup network communication. To help increase your productivity, STEP 7
provides two different views of the project: a task-oriented set of portals that are organized
on the functionality of the tools (Portal view), or a project-oriented view of the elements within
the project (Project view). Choose which view helps you work most efficiently. With a single
click, you can toggle between the Portal view and the Project view.
Portal view
① Portals for the different tasks
② Tasks for the selected portal
③ Selection panel for the selected
action
④ Changes to the Project view
Project view
① Menus and toolbar
② Project navigator
③ Work area
④ Task cards
⑤ Inspector window
⑥ Changes to the Portal view
⑦ Editor bar
With all of these components in one place, you have easy access to every aspect of your
project. For example, the inspector window shows the properties and information for the
object that you have selected in the work area. As you select different objects, the inspector
window displays the properties that you can configure. The inspector window includes tabs
that allow you to see diagnostic information and other messages.
By showing all of the editors that are open, the editor bar helps you work more quickly and
efficiently. To toggle between the open editors, simply click the different editor. You can also
arrange two editors to appear together, arranged either vertically or horizontally. This feature
allows you to drag and drop between editors.
25
STEP 7 makes the work easy
2.1 Easy to insert instructions into your user program
2.1 Easy to insert instructions into your user program
STEP 7 provides task cards that contain the instructions for your
program. The instructions are grouped according to function.
To create your program, you drag instructions from the task card
onto a network.
2.2 Easy access to your favorite instructions from a toolbar
STEP 7 provides a "Favorites" toolbar to give you quick access to the instructions that you
frequently use. Simply click the icon for the instruction to insert it into your network!
(For the "Favorites" in the instruction tree, double-
click the icon.)
You can easily customize the

"Favorites" by adding new in-
structions.
Simply drag and drop an instruc-
tion to the "Favorites".
The instruction is now just a click
away!
26
2.3 Easy to add inputs or outputs to LAD and FBD instructions
2.3 Easy to add inputs or outputs to LAD and FBD instructions
Some of the instructions allow you to create additional inputs or outputs.
● To add an input or output, click the "Create" icon or right-click on an input stub for one of
the existing IN or OUT parameters and select the "Insert input" command.
● To remove an input or output, right-click on the stub for one of the existing IN or OUT
parameters (when there are more than the original two inputs) and select the "Delete"
command.
2.4 Expandable instructions
Some of the more complex instructions are expandable, displaying only the key inputs and
outputs. To display all the inputs and outputs, click the arrow at the bottom of the instruction.
27
2.5 Easy to change the operating mode of the CPU
2.5 Easy to change the operating mode of the CPU

The CPU does not have a physical switch for changing the operating mode (STOP or RUN).
Use the "Start CPU" and "Stop CPU" toolbar buttons to change the operating
mode of the CPU.
When you configure the CPU in the device configuration, you configure the start-up behavior
in the properties of the CPU (Page 80).
The "Online and diagnostics" portal also provides an operator panel for changing the
operating mode of the online CPU. To use the CPU operator panel, you must be connected
online to the CPU. The "Online tools" task card displays an operator panel that shows the
operating mode of the online CPU. The operator panel also allows you to change the
operating mode of the online CPU.
Use the button on the operator panel to change the operating mode
(STOP or RUN). The operator panel also provides an MRES button for
resetting the memory.
The color of the RUN/STOP indicator shows the current operating mode of the CPU. Yellow
indicates STOP mode, and green indicates RUN mode.
From the device configuration in STEP 7 you can also configure the default operating mode
on power up of the CPU.
2.6 Easy to modify the appearance and configuration of STEP 7

You can select a variety of settings, such as the appearance of the interface, language, or
the folder for saving your work.
Select the "Settings" command from the "Options" menu to change these settings.
28
2.7 Project and global libraries for easy access
2.7 Project and global libraries for easy access

The global and project libraries allow you to reuse the stored objects throughout a project or
across projects. For example, you can create block templates for use in different projects
and adapt them to the particular requirements of your automation task. You can store a
variety of objects in the libraries, such as FCs, FBs, DBs, device configuration, data types,
watch tables, process screens, and faceplates. You can also save the components of the
HMI devices in your project.
Each project has a project library for storing the objects to be

used more than once within the project. This project library is
part of the project. Opening or closing the project opens or
closes the project library, and saving the project saves any
changes in the project library.
You can create your own global library to store the objects you want to make available for
other projects to use. When you create a new global library, you save this library to a
location on your computer or network.
2.8 Easy to select a version of an instruction

The development and release cycles for certain sets of instructions (such as Modbus, PID
and motion) have created multiple released versions for these instructions. To help ensure
compatibility and migration with older projects, STEP 7 allows you to choose which version
of instruction to insert into your user program.
Click the icon on the instruction tree task card

to enable the headers and columns of the
instruction tree.
To change the version of the instruction, se-

lect the appropriate version from the drop-
down list.
29
2.9 Easy to drag and drop between editors
2.9 Easy to drag and drop between editors
To help you perform tasks quickly and easily,

STEP 7 allows you to drag and drop elements
from one editor to another. For example, you
can drag an input from the CPU to the address
of an instruction in your user program.
You must zoom in at least 200% to select the
inputs or outputs of the CPU.
Notice that the tag names are displayed not
only in the PLC tag table, but also are dis-
played on the CPU.
To display two editors at one time, use the

"Split editor" menu commands or buttons in
the toolbar.
To toggle between the editors that have been opened, click the icons in the editor bar.
30
2.10 Changing the call type for a DB
2.10 Changing the call type for a DB
STEP 7 allows you to easily create or change the associ-

ation of a DB for an instruction or an FB that is in an FB.
• You can switch the association between different DBs.
• You can switch the association between a single-
instance DB and a multi-instance DB.
• You can create an instance DB (if an instance DB is
missing or not available).
You can access the "Change call type" command either
by right-clicking the instruction or FB in the program edi-
tor or by selecting the "Block call" command from the
"Options" menu.
The "Call options" dialog allows

you to select a single-instance
or multi-instance DB. You can
also select specific DBs from a
drop-down list of available DBs.
31
2.11 Temporarily disconnecting devices from a network
2.11 Temporarily disconnecting devices from a network

You can disconnect individual network devices from the subnet. Because the configuration of
the device is not removed from the project, you can easily restore the connection to the
device.
Right-click the interface port of the network

device and select the "Disconnect from sub-
net" command from the context menu.
STEP 7 reconfigures the network connections, but does not remove the disconnected device
from the project. While the network connection is deleted, the interface addresses are not
changed.
When you download the new network connections, the CPU must be set to STOP mode.
To reconnect the device, simply create a new network connection to the port of the device.
32
2.12 Easy to virtually "unplug" modules without losing the configuration
STEP 7 provides a storage area for "un-

plugged" modules. You can drag a module
from the rack to save the configuration of
that module. These unplugged modules
are saved with your project, allowing you
to reinsert the module in the future without
having to reconfigure the parameters.
One use of this feature is for temporary
maintenance. Consider a scenario where
you might be waiting for a replacement
module and plan to temporarily use a dif-
ferent module as a short-term replace-
ment. You could drag the configured
module from the rack to the "Unplugged
modules" and then insert the temporary
module.
33
34
Getting started 3
3.1 Create a project
Working with STEP 7 is easy! See how quickly you can get started with creating a project.
In the Start portal, click the

"Create new project" task.
Enter a project name and click
the "Create" button.
After creating the project, select the Devices &

Networks portal.
Click the "Add new device" task.
Select the CPU to add to the project:

1. In the "Add new device" dialog, click the
"SIMATIC PLC" button.
2. Select a CPU from the list.
3. To add the selected CPU to the project, click
the "Add" button.
Note that the "Open device view" option is select-
ed. Clicking "Add" with this option selected opens
the "Device configuration" of the Project view.
The Device view displays the

CPU that you added.
35
Getting started
3.2 Create tags for the I/O of the CPU

"PLC tags" are the symbolic names for I/O and addresses. After you create a PLC tag,
STEP 7 stores the tag in a tag table. All of the editors in your project (such as the program
editor, the device editor, the visualization editor, and the watch table editor) can access the
tag table.
With the device editor open, open a tag table.

You can see the open editors displayed in the editor bar.
In the tool bar, click the "Split editor space horizontally" button.
STEP 7 displays both the tag table and the de-

vice editor together.
Zoom the device configuration to over 200% so that the I/O points of the CPU are legible and
selectable. Drag the inputs and outputs from the CPU to the tag table:
1. Select I0.0 and drag it to the first row of the tag table.
2. Change the tag name from "I0.0" to "Start".
3. Drag I0.1 to the tag table and change the name to "Stop".
4. Drag Q0.0 (on the bottom of the CPU) to the tag table and change the name to
"Running".
36
Getting started
With the tags entered into the PLC tag table, the tags are available to your user program.
37
Getting started
3.3 Create a simple network in your user program

Your program code consists of instructions that the CPU executes in sequence. For this
example, use ladder logic (LAD) to create the program code. The LAD program is a
sequence of networks that resemble the rungs of a ladder.
To open the program editor, follow these steps:

1. Expand the "Program blocks" folder in the Project tree to
display the "Main [OB1]" block.
2. Double-click the "Main [OB1]" block.
The program editor opens the program block (OB1).
Use the buttons on the "Favorites" to insert contacts and coils onto the network.
1. Click the "Normally open contact"

button on the "Favorites" to add a
contact to the network.
2. For this example, add a second
contact.
3. Click the "Output coil" button to
insert a coil.
The "Favorites" also provides a button for creating a branch
1. Select the left rail to select the rail

for the branch.
2. Click the "Open branch" icon to
add a branch to the rail of the
network.
3. Insert another normally open
contact to the open branch.
4. Drag the double-headed arrow to a
connection point (the green square
on the rung) between the two
contacts on the first rung.
38
Getting started
To save the project, click the "Save project" button in the toolbar. Notice that you do not have
to finish editing the rung before saving. You can now associate the tag names with these
instructions.
39
Getting started
3.4 Use the PLC tags in the tag table for addressing the instructions
3.4 Use the PLC tags in the tag table for addressing the instructions
Using the tag table, you can quickly enter the PLC tags for the addresses of the contacts and
coils.
1. Double-click the default address

<??.?> above the first normally
open contact.
2. Click the selector icon to the right
of the address to open the tags in
the tag table.
3. From the drop-down list, select
"Start" for the first contact.
4. For the second contact, repeat the
preceding steps and select the tag
"Stop".
5. For the coil and the latching
contact, select the tag "Running".
You can also drag the I/O addresses directly

from the CPU. Simply split the work area of the
Project view (Page 34).
You must zoom the CPU to over 200% in order
to select the I/O points.
You can drag the I/O on the CPU in the "Device
configuration" to the LAD instruction in the pro-
gram editor to create not only the address for the
instruction, but also to create an entry in the PLC
tag table.
40
Getting started
3.5 Add a "box" instruction
3.5 Add a "box" instruction

The program editor features a generic "box" instruction. After inserting this box instruction,
you then select the type of instruction, such as an ADD instruction, from a drop-down list.
Click the generic "box" instruction in

the "Favorites" tool bar.
The generic "box" instruction supports

a variety of instructions. For this ex-
ample, create an ADD instruction:
1. Click the yellow corner of the box
instruction to display the drop-
down list of instructions.
2. Scroll down the list and select the
ADD instruction.
3. Click the yellow corner by the "?" to
select the data type for the inputs
and output.
You can now enter the tags (or

memory addresses) for the values to
use with the ADD instruction.
You can also create additional inputs for certain instructions:

1. Click one of the inputs inside the box.
2. Right-click to display the context menu and select the "Insert
input" command.
The ADD instruction now uses three inputs.
41
Getting started
3.6 Use the CALCULATE instruction for a complex mathematical equation
3.6 Use the CALCULATE instruction for a complex mathematical

equation
The Calculate instruction (Page 111) lets you create a math function that operates on multi-
ple input parameters to produce the result, according to the equation that you define.
In the Basic instruction tree, expand the Math functions folder.
Double-click the Calculate instruction to insert the instruction
into your user program.
The unconfigured Calculate instruc-

tion provides two input parameters
and an output parameter.
Click the "???" and select the data types for the input and output pa-
rameters. (The input and output parameters must all be the same data
type.)
For this example, select the "Real" data type.
Click the "Edit equation" icon to enter the equation.
42
Getting started
3.6 Use the CALCULATE instruction for a complex mathematical equation
For this example, enter the following equation for scaling a raw analog value. (The "In" and
"Out" designations correspond to the parameters of the Calculate instruction.)
Out value = ((Out high - Out low) / (In high - In low)) * (In value - In low) + Out low
Out = ((in4 - in5) / (in2 - in3)) * (in1 - in3) + in5
Where: Out value (Out) Scaled output value
In value (in1) Analog input value
In high (in2) Upper limit for the scaled input value
In low (in3) Lower limit for the scaled input value
Out high (in4) Upper limit for the scaled output value
Out low (in5) Lower limit for the scaled output value
In the "Edit Calculate" box, enter the equation with the parameter names:
OUT = ((in4 - in5) / (in2 - in3)) * (in1 - in3) + in5
When you click "OK", the Calculate

instruction creates the inputs re-
quired for the instruction.
Enter the tag names for the values

that correspond to the parameters.
43
Getting started
3.7 Add an HMI device to the project
3.7 Add an HMI device to the project
Adding an HMI device to your project is

easy!
1. Double-click the "Add new device" icon.

2. Click the "SIMATIC HMI" button in the
Add new device" dialog.
3. Select the specific HMI device from the
list.
You can choose to run the HMI wizard
to help you configure the screens for
the HMI device.
4. Click "OK" to add the HMI device to
your project.
The TIA Portal adds the HMI device to the project.

The TIA Portal provides an HMI wizard that helps you
configure all of the screens and structure for your HMI
device.
If you do not run the HMI wizard, the TIA Portal creates a simple default HMI screen. You
can add additional screens or objects on screens later.
44
Getting started
3.8 Create a network connection between the CPU and HMI device
3.8 Create a network connection between the CPU and HMI device
Creating a network is easy!

• Go to "Devices and Networks" and select the
Network view to display the CPU and HMI
device.
• To create a PROFINET network, drag a line
from the green box (Ethernet port) on one
device to the green box on the other device.
A network connection is created for the two devic-
es.
3.9 Create an HMI connection to share tags
By creating an HMI connection between the

two devices, you can easily share the tags
between the two devices.
• With the network connection selected, click
the "Connections" button and select "HMI
connection" from the drop-down list.
• The HMI connection turns the two devices
blue.
• Select the CPU device and drag the line to
the HMI device.
• The HMI connection allows you to configure
the HMI tags by selecting a list of PLC tags.
45
Getting started
3.10 Create an HMI screen
You can use other options for creating an HMI connection:

● Dragging a PLC tag from the PLC tag table, the program editor or the device
configuration editor to the HMI screen editor automatically creates an HMI connection.
● Using the HMI wizard to browse for the PLC automatically creates the HMI connection.
3.10 Create an HMI screen

Even if you do not utilize the HMI wizard, configuring an HMI screen is easy.
STEP 7 provides a standard set of librar-

ies for inserting basic shapes, interactive
elements, and even standard graphics.
To add an element, simply drag and drop one of the elements onto the screen. Use the
properties for the element (in the Inspector window) to configure the appearance and
behavior of the element.
You can also create elements on your screen by dragging and dropping PLC tags either
from the Project tree or the program editor to the HMI screen. The PLC tag becomes an
element on the screen. You can then use the properties to change the parameters for this
element.
46
Getting started
3.11 Select a PLC tag for the HMI element

After you create the element on your screen, use the properties of the element to assign a
PLC tag to the element. Click the selector button by the tag field to display the PLC tags of
the CPU.
You can also drag and drop PLC tags from the Project tree to the HMI screen. Display the
PLC tags in the "Details" view of the project tree and then drag the tag to the HMI screen.
47
Getting started
48
PLC concepts made easy 4
4.1 Tasks performed every scan cycle
Each scan cycle includes writing the outputs, reading the inputs, executing the user program
instructions, and performing system maintenance or background processing.
The cycle is referred to as a scan cycle or scan. Under

default conditions, all digital and analog I/O points are
updated synchronously with the scan cycle using an in-
ternal memory area called the process image. The pro-
cess image contains a snapshot of the physical inputs
and outputs on the CPU, signal board, and signal mod-
ules.
● The CPU reads the physical inputs just prior to the execution of the user program and
stores the input values in the process image input area. This ensures that these values
remain consistent throughout the execution of the user instructions.
● The CPU executes the logic of the user instructions and updates the output values in the
process image output area instead of writing to the actual physical outputs.
● After executing the user program, the CPU writes the resulting outputs from the process
image output area to the physical outputs.
49
PLC concepts made easy
4.2 Operating modes of the CPU
This process provides consistent logic through the execution of the user instructions for a
given cycle and prevents the flickering of physical output points that might change state
multiple times in the process image output area.
STARTUP RUN
A Clears the I (image) memory area ① Writes Q memory to the physical outputs
B Initializes the Q output (image) memory ② Copies the state of the physical inputs to I
area with either zero, the last value, or memory
the substitute value, as configured, and
zeroes PB, PN, and AS-i outputs
C Initializes non-retentive M memory and ③ Executes the program cycle OBs
data blocks to their initial value and
enables configured cyclic interrupt and
time of day events.
Executes the startup OBs.
D Copies the state of the physical inputs to ④ Performs self-test diagnostics
I memory
E Stores any interrupt events into the ⑤ Processes interrupts and communications
queue to be processed after entering during any part of the scan cycle
RUN mode
F Enables the writing of Q memory to the
physical outputs
You can change the default behavior for a module by removing it from this automatic update
of I/O. You can also immediately read and write digital and analog I/O values to the modules
when an instruction executes. Immediate reads of physical inputs do not update the process
image input area. Immediate writes to physical outputs update both the process image
output area and the physical output point.
50

The CPU has three modes of operation: STOP mode, STARTUP mode, and RUN mode.
Status LEDs on the front of the CPU indicate the current mode of operation.
● In STOP mode, the CPU is not executing the program, and you can download a project.
The RUN/STOP LED is solid yellow.
● In STARTUP mode, the CPU executes any startup logic (if present). The CPU does not
process interrupt events during the startup mode. The RUN/STOP LED alternates
flashing between green and yellow.
● In RUN mode, the scan cycle executes repeatedly. Interrupt events can occur and the
CPU can process them at any point within the program cycle phase. You can download
some parts of a project in RUN mode. The RUN/STOP LED is solid green.
The CPU supports the warm restart method for entering the RUN mode. Warm restart does
not include a memory reset, but you can command a memory reset from STEP 7. A memory
reset clears all work memory, clears retentive and non-retentive memory areas, copies load
memory to work memory, and sets outputs to the configured "Reaction to CPU STOP". A
memory reset does not clear the diagnostics buffer or the permanently saved IP address. A
warm restart initializes all non-retentive system and user data.
You can configure the "startup after POWER ON" setting of the CPU complete with restart
method using STEP 7. This configuration item appears under the Device Configuration for
the CPU under Startup. At power up, the CPU performs a sequence of power-up diagnostic
checks and system initialization. During system initialization, the CPU deletes all non-
retentive bit memory and resets all non-retentive DB contents to initial values. The CPU then
enters the appropriate power-up mode. Certain errors will prevent the CPU from entering the
RUN mode. The CPU supports the following power-up modes: STOP mode, "Go to RUN
mode after warm restart", and "Go to previous mode after warm restart".
NOTICE
Warm restart mode configuration
The CPU can enter STOP mode due to repairable faults, such as failure of a replaceable
signal module, or temporary faults, such as power line disturbance or erratic power up
event.
If the CPU has been configured to "Warm restart mode prior to POWER OFF", it will not
return to RUN mode when the fault is repaired or removed until it receives a new command
from STEP 7 to go to RUN. Without a new command, the STOP mode is retained as the
mode prior to POWER OFF.
CPUs that are intended to operate independently of a STEP 7 connection should typically
be configured to "Warm restart - RUN" so that the CPU can be returned to RUN mode by a
power cycle following the removal of fault conditions.
The CPU does not provide a physical switch for changing the operat-
ing mode. To change the operating mode of the CPU, STEP 7 pro-
vides the following tools:
• "Stop" and "Run" buttons on the STEP 7 toolbar
• CPU operator panel in the online tools
51
4.3 Execution of the user program
You can also include a STP instruction in your program to change the CPU to STOP mode.
This allows you to stop the execution of your program based on the program logic. The Web
server (Page 254) also provides a page for changing the operating mode.

The CPU supports the following types of code blocks that allow you to create an efficient
structure for your user program:
● Organization blocks (OBs) define the structure of the program. Some OBs have
predefined behavior and start events, but you can also create OBs with custom start
events (Page 58).
● Functions (FCs) and function blocks (FBs) contain the program code that corresponds to
specific tasks or combinations of parameters. Each FC or FB provides a set of input and
output parameters for sharing data with the calling block. An FB also uses an associated
data block (called an instance DB) to maintain state of values between execution that can
be used by other blocks in the program.
● Data blocks (DBs) store data that can be used by the program blocks.
The size of the user program, data, and configuration is limited by the available load memory
and work memory in the CPU (Page 15). There is no specific limit to the number of each
individual OB, FC, FB and DB block. However, the total number of blocks is limited to 1024.
4.3.1 Processing the scan cycle in RUN mode

For each scan cycle, the CPU writes the outputs, reads the inputs, executes the user
program, updates communication modules, and responds to user interrupt events and
communication requests. Communication requests are handled periodically throughout the
scan.
These actions (except for user interrupt events) are serviced regularly and in sequential
order. User interrupt events that are enabled are serviced according to priority in the order in
which they occur. For interrupt events, the CPU reads the inputs, executes the OB, and then
writes the outputs, using the associated process image partition (PIP), if applicable.
52
The system guarantees that the scan cycle will be completed in a time period called the
maximum cycle time; otherwise a time error event is generated.
● Each scan cycle begins by retrieving the current values of the digital and analog outputs
from the process image and then writing them to the physical outputs of the CPU, SB,
and SM modules configured for automatic I/O update (default configuration). When a
physical output is accessed by an instruction, both the output process image and the
physical output itself are updated.
● The scan cycle continues by reading the current values of the digital and analog inputs
from the CPU, SB, and SMs configured for automatic I/O update (default configuration),
and then writing these values to the process image. When a physical input is accessed
by an instruction, the value of the physical input is accessed by the instruction, but the
input process image is not updated.
● After reading the inputs, the user program is executed from the first instruction through
the end instruction. This includes all the program cycle OBs plus all their associated FCs
and FBs. The program cycle OBs are executed in order according to the OB number with
the lowest OB number executing first.
Communications processing occurs periodically throughout the scan, possibly interrupting
user program execution.
Self-diagnostic checks include periodic checks of the system and the I/O module status
checks.
Interrupts can occur during any part of the scan cycle, and are event-driven. When an event
occurs, the CPU interrupts the scan cycle and calls the OB that was configured to process
that event. After the OB finishes processing the event, the CPU resumes execution of the
user program at the point of interruption.
4.3.2 OBs help you structure your user program

OBs control the execution of the user program. Specific events in the CPU trigger the
execution of an organization block. OBs cannot call each other or be called from an FC or
FB. Only an event such as a diagnostic interrupt or a time interval, can start the execution of
an OB. The CPU handles OBs according to their respective priority classes, with higher
priority OBs executing before lower priority OBs. The lowest priority class is 1 (for the main
program cycle), and the highest priority class is 26.
53
4.3.3 Event execution priorities and queuing

The CPU processing is controlled by events. An event triggers an interrupt OB to be
executed. You can specify the interrupt OB for an event during the creation of the block,
during the device configuration, or with an ATTACH or DETACH instruction. Some events
happen on a regular basis like the program cycle or cyclic events. Other events happen only
a single time, like the startup event and time delay events. Some events happen when the
hardware triggers an event, such as an edge event on an input point or a high speed counter
event. Events like the diagnostic error and time error event only happen when an error
occurs. The event priorities and queues are used to determine the processing order for the
event interrupt OBs.
The CPU processes events in order of priority where 1 is the lowest priority and 26 is the
highest priority. Prior to V4.0 of the S7-1200 CPU, each type of OB belonged to a fixed
priority class (1 to 26). From V4.0 forward, you can assign a priority class to each OB that
you configure. You configure the priority number in the attributes of the OB properties.
Interruptible and non-interruptible execution modes

OBs (Page 57) execute in priority order of the events that trigger them. From V4.0 forward,
you can configure OB execution to be interruptible or non-interruptible. Note that program
cycle OBs are always interruptible, but you can configure all other OBs to be either
interruptible or non-interruptible.
If you set interruptible mode, then if an OB is executing and a higher priority event occurs
before the OB completes its execution, the running OB is interrupted to allow the higher-
priority event OB to run. The higher-priority event runs, and at its completion, the OB that
was interrupted continues. When multiple events occur while an interruptible OB is
executing, the CPU processes those events in priority order.
If you do not set interruptible mode, then an OB runs to completion when triggered
regardless of any other events that trigger during the time that it is running.
Consider the following two cases where interrupt events trigger a cyclic OB and a time delay
OB. In both cases, the time delay OB (OB201) has no process image partition assignment
and executes at priority 4. The cyclic OB (OB200) has a process image partition assignment
of PIP1 and executes at priority 2. The following illustrations show the difference in execution
between non-interruptible and interruptible execution modes:
Figure 4-1 Case 1: Non-interruptible OB execution
54
Figure 4-2 Case 2: Interruptible OB execution
Note
If you configure the OB execution mode to be non-interruptible, then a time error OB cannot
interrupt OBs other than program cycle OBs. Prior to V4.0 of the S7-1200 CPU, a time error
OB could interrupt any executing OB. From V4.0 forward, you must configure OB execution
to be interruptible if you want a time error OB (or any other higher priority OB) to be able to
interrupt executing OBs that are not program cycle OBs.
Understanding event execution priorities and queuing

The CPU limits the number of pending (queued) events from a single source, using a
different queue for each event type. Upon reaching the limit of pending events for a given
event type, the next event is lost. You can use a time error interrupt OB to respond to queue
overflows.
Each CPU event has an associated priority. In general, the CPU services events in order of
priority (highest priority first). The CPU services events of the same priority on a "first-come,
first-served" basis.
Table 4- 1 OB events
Event Quantity allowed Default OB priority

Program cycle 1 program cycle event 14
Multiple OBs allowed
Startup 1 startup event 1 14
Multiple OBs allowed
Time delay Up to 4 time events 3
1 OB per event
Cyclic interrupt Up to 4 events 8
1 OB per event
Hardware interrupt Up to 50 hardware interrupt events2 18
1 OB per event, but you can use the same OB for 18
multiple events
Time error 1 event (only if configured)3 22 or 264
Diagnostic error 1 event (only if configured) 5
Pull or plug of modules 1 event 6
55
Event Quantity allowed Default OB priority

Rack or station failure 1 event 6
Time of day Up to 2 events 2
Status 1 event 4
Update 1 event 4
Profile 1 event 4
1 The startup event and the program cycle event never occur at the same time because the startup
event runs to completion before the program cycle event starts.
2 You can have more than 50 hardware interrupt event OBs if you use the DETACH and ATTACH
instructions.
3 You can configure the CPU to stay in RUN if the scan cycle exceeds the maximum scan cycle time
or you can use the RE_TRIGR instruction to reset the cycle time. However, the CPU goes to
STOP mode the second time that one scan cycle exceeds the maximum scan cycle time.
4 The priority for a new V4.0 or V4.1 CPU is 22. If you exchange a V3.0 CPU for a V4.0 or V4.1
CPU, the priority is 26: the priority that was in effect for V3.0. In either case, the priority field is ed-
itable and you can set the priority to any value in the range 22 to 26.
Refer to the topic "Exchanging a V3.0 CPU for a V4.1 CPU (Page 433)" for more details.
In addition, the CPU recognizes other events that do not have associated OBs. The following
table describes these events and the corresponding CPU actions:
Table 4- 2 Additional events
Event Description CPU action

I/O access error Direct I/O read/write error The CPU logs the first occurrence in the
diagnostic buffer and stays in RUN mode.
Max cycle time error CPU exceeds the configured The CPU logs the error in the diagnostic
cycle time twice buffer and transitions to STOP mode.
Peripheral access error I/O error during process im- The CPU logs the first occurrence in the
age update diagnostic buffer and stays in RUN mode.
Programming error program execution error If the block with the error provides error
handling, it updates the error structure; if
not, the CPU logs the error in the diagnos-
tic buffer and stays in RUN mode.
Interrupt latency
The interrupt event latency (the time from notification of the CPU that an event has occurred
until the CPU begins execution of the first instruction in the OB that services the event) is
approximately 175 µsec, provided that a program cycle OB is the only event service routine
active at the time of the interrupt event.
56
4.4 Memory areas, addressing and data types

The CPU provides the following memory areas to store the user program, data, and
configuration:
● Load memory is non-volatile storage for the user program, data and configuration. When
a project is downloaded to the CPU, it is first stored in the Load memory area. This area
is located either in a memory card (if present) or in the CPU. This non-volatile memory
area is maintained through a power loss. You can increase the amount of load memory
available for data logs by installing a memory card.
● Work memory is volatile storage for some elements of the user project while executing
the user program. The CPU copies some elements of the project from load memory into
work memory. This volatile area is lost when power is removed, and is restored by the
CPU when power is restored.
● Retentive memory is non-volatile storage for a limited quantity of work memory values.
The retentive memory area is used to store the values of selected user memory locations
during power loss. When a power down or power loss occurs, the CPU restores these
retentive values upon power up.
An optional SIMATIC memory card provides an alternative memory for

storing your user program or a means for transferring your program. If you
use the memory card, the CPU runs the program from the memory card
and not from the memory in the CPU.
Check that the memory card is not write-protected. Slide the protection
switch away from the "Lock" position.
Use the optional SIMATIC memory card as a program card, as a transfer card, for collecting
data log files, or to perform a firmware update.
● Use the transfer card to copy your project to multiple CPUs without using STEP 7. The
transfer card copies a stored project from the card to the memory of the CPU. You must
remove the transfer card after copying the program to the CPU.
● The program card takes the place of CPU memory; all of your CPU functions are
controlled by the program card. Inserting the program card erases all of the internal load
memory of the CPU (including the user program and any forced I/O). The CPU then
executes the user program from the program card.
● You can also use the program card for collecting data log files (Page 122). The program
card provides more memory than the internal memory of the CPU. The Web server
function (Page 253) of the CPU allows you to download the data log files to a computer.
● You can also use a memory card to perform a firmware update. Refer to the S7-1200
Programmable Controller System Manual for instructions.
Note
The program card must remain in the CPU. If you remove the program card, the CPU goes
to STOP mode.
57
4.4.1 Data types supported by the S7-1200

Data types are used to specify both the size of a data element as well as how the data are to
be interpreted. Each instruction parameter supports at least one data type, and some
parameters support multiple data types. Hold the cursor over the parameter field of an
instruction to see which data types are supported for a given parameter.
Table 4- 3 Data types supported by the S7-1200
Data types Description

Bit and bit-sequence • Bool is a Boolean or bit value.
data types
• Byte is an 8-bit byte value.
• Word is a 16-bit value.
• DWord is a 32-bit double-word value.
Integer data types • USInt (unsigned 8-bit integer) and SInt (signed 8-bit integer) are "short" integers (8 bits or 1
byte of memory) that can be signed or unsigned.
• UInt (unsigned 16-bit integer) and Int (signed 16-bit integer) are integers (16 bits or 1 word of
memory) that can be signed or unsigned.
• UDInt (unsigned 32-bit integer) and DInt (signed 32-bit integer) are double integers (32 bits or
1 double-word of memory) that can be signed or unsigned.
Real number data • Real is a 32-bit Real number or floating-point value.
types
• LReal is a 64-bit Real number or floating-point value.
Date and time data • Date is a 16-bit date value (similar to a UInt) that contains the number of days since January
types 1, 1990. The maximum date value is 65378 (16#FF62), which corresponds to December 31,
2168. All possible Date values are valid.
• DTL (date and time long) is a structure of 12 bytes that saves information on date and time in
a predefined structure.
– Year (UInt): 1970 to 2554
– Month (USInt): 1 to 12
– Day (USInt): 1 to 31
– Weekday (USInt): 1 (Sunday) to 7 (Saturday)
– Hours (USInt): 0 to 23
– Minutes (USInt): 0 to 59
– Seconds (USInt): 0 to 59
– Nanoseconds (UDInt): 0 to 999999999
• Time is a 32-bit IEC time value (similar to a Dint) that stores the number of milliseconds (from
0 to 24 days 20 hours 31 minutes 23 seconds and 647 ms). All possible Time values are val-
id. Time values can be used for calculations, and negative times are possible.
• TOD (time of day) is a 32-bit time-of-day value (similar to a Dint) that contains the number of
milliseconds since midnight (from 0 to 86399999).
Character and string • Char is an 8-bit single character.
data types
• String is a variable-length string of up to 254 characters.
58
Data types Description

Array and structure • Array contains multiple elements of the same data type. Arrays can be created in the block
data types interface editors for OB, FC, FB, and DB. You cannot create an array in the PLC tags editor.
• Struct defines a structure of data consisting of other data types. The Struct data type can be
used to handle a group of related process data as a single data unit. You declare the name
and internal data structure for the Struct data type in the data block editor or a block interface
editor.
Arrays and structures can also be assembled into a larger structure. A structure can be nested
up to eight levels deep. For example, you can create a structure of structures that contain arrays.
PLC data types PLC Data type is a user-defined data structure that defines a custom data structure that you can
use multiple times in your program. When you create a PLC Data type, the new PLC Data type
appears in the data type selector drop drop-lists in the DB editor and code block interface editor.
PLC Data types can be used directly as a data type in a code block interface or in data blocks.
PLC Data types can be used as a template for the creation of multiple global data blocks that use
the same data structure.
Pointer data types • Pointer provides an indirect reference to the address of a tag. It occupies 6 bytes (48 bits) in
memory and can include the following information to a variable: DB number (or 0 if the data is
not stored in a DB), memory area in the CPU, and the memory address.
• Any provides an indirect reference to the beginning of a data area and identifies its length.
The Any pointer uses 10 bytes in memory and can include the following information: Data
type of the data elements, number of data elements, memory area or DB number, and the
"Byte.Bit" starting address of the data.
• Variant provides an indirect reference to tags of different data types or parameters. The Vari-
ant pointer recognizes structures and individual structural components. The Variant does not
occupy any space in memory.
Although not available as data types, the following BCD (binary coded decimal) numeric
formats are supported by the conversion instructions.
● BCD16 is a 16-bit value (-999 to 999).
● BCD32 is a 32-bit value (-9999999 to 9999999).
59
4.4.2 Addressing memory areas

STEP 7 facilitates symbolic programming. You create symbolic names or "tags" for the
addresses of the data, whether as PLC tags relating to memory addresses and I/O points or
as local variables used within a code block. To use these tags in your user program, simply
enter the tag name for the instruction parameter. For a better understanding of how the CPU
structures and addresses the memory areas, the following paragraphs explain the "absolute"
addressing that is referenced by the PLC tags. The CPU provides several options for storing
data during the execution of the user program:
● Global memory: The CPU provides a variety of specialized memory areas, including
inputs (I), outputs (Q) and bit memory (M). This memory is accessible by all code blocks
without restriction.
● Data block (DB): You can include DBs in your user program to store data for the code
blocks. The data stored persists when the execution of the associated code block comes
to an end. A "global" DB stores data that can be used by all code blocks, while an
instance DB stores data for a specific FB and is structured by the parameters for the FB.
● Temp memory: Whenever a code block is called, the operating system of the CPU
allocates the temporary, or local, memory (L) to be used during the execution of the
block. When the execution of the code block finishes, the CPU reallocates the local
memory for the execution of other code blocks.
Each different memory location has a unique address. Your user program uses these
addresses to access the information in the memory location.
References to the input (I) or output (Q) memory areas, such as I0.3 or Q1.7, access the
process image. To immediately access the physical input or output, append the reference
with ":P" (such as I0.3:P, Q1.7:P, or "Stop:P").
Forcing applies a fixed value to a physical input (Ix.y:P) or a physical output (Qx.y:P) only.
To force an input or output, append a ":P" to the PLC tag or the address. For more
information, see "Forcing variables in the CPU" (Page 340).
Table 4- 4 Memory areas
Memory area Description Force Retentive

I Copied from physical inputs at the beginning of the scan No No
Process image input cycle
I_:P1 Immediate read of the physical input points on the CPU, Yes No
(Physical input) SB, and SM
Q Copied to physical outputs at the beginning of the scan No No
Process image output cycle
Q_:P1 Immediate write to the physical output points on the Yes No
(Physical output) CPU, SB, and SM
M Control and data memory No Yes
Bit memory (optional)
L Temporary data for a block local to that block No No
Temp memory
DB Data memory and also parameter memory for FBs No Yes
Data block (optional)
1 To immediately access (or to force) the physical inputs and physical outputs, append a ":P" to the address or tag (such
as I0.3:P, Q1.7:P, or "Stop:P").
60
Each different memory location has a unique address. Your user program uses these
addresses to access the information in the memory location. The absolute address consists
of the following elements:
● Memory area (such as I, Q, or M)
● Size of the data to be accessed (such as "B" for Byte or "W" for Word)
● Address of the data (such as Byte 3 or Word 3)
When accessing a bit in the address for a Boolean value, you do not enter a mnemonic for
the size. You enter only the memory area, the byte location, and the bit location for the data
(such as I0.0, Q0.1, or M3.4).
Absolute address of a memory area:

A Memory area identifier
B Byte address: byte 3
C Separator ("byte.bit")
D Bit location of the byte (bit 4 of 8)
E Bytes of the memory area
F Bits of the selected byte
In the example, the memory area and byte address (M = bit memory area, and 3 = Byte 3)
are followed by a period (".") to separate the bit address (bit 4).
61
Configuring the I/O in the CPU and I/O modules
When you add a CPU and I/O modules to your

device configuration, STEP 7 automatically assigns
I and Q addresses. You can change the default
addressing by selecting the address field in the
device configuration and entering new numbers.
• STEP 7 assigns digital inputs and outputs in
groups of 8 points (1 byte), whether the module
uses all the points or not.
• STEP 7 allocates analog inputs and outputs in
groups of 2, where each analog poing occupies
2 bytes (16 bits).
The figure shows an example of a CPU 1214C with two SMs and one SB. In this example,
you could change the address of the DI8 module to 2 instead of 8. The tool assists you by
changing address ranges that are the wrong size or conflict with other addresses.
62
4.4.3 Accessing a "slice" of a tagged data type

PLC tags and data block tags can be accessed at the bit, byte, or word level depending on
their size. The syntax for accessing such a data slice is as follows:
● "<PLC tag name>".xn (bit access)
● "<PLC tag name>".bn (byte access)
● "<PLC tag name>".wn (word access)
● "<Data block name>".<tag name>.xn (bit access)
● "<Data block name>".<tag name>.bn (byte access)
● "<Data block name>".<tag name>.wn (word access)
A double word-sized tag can be accessed by bits 0 - 31, bytes 0 - 3, or word 0 - 1. A word-
sized tag can be accessed by bits 0 - 15, bytes 0 - 1, or word 0. A byte-sized tag can be
accessed by bits 0 - 7, or byte 0. Bit, byte, and word slices can be used anywhere that bits,
bytes, or words are expected operands.
Note
Valid data types that can be accessed by slice are Byte, Char, Conn_Any, Date, DInt,
DWord, Event_Any, Event_Att, Hw_Any, Hw_Device, HW_Interface, Hw_Io, Hw_Pwm,
Hw_SubModule, Int, OB_Any, OB_Att, OB_Cyclic, OB_Delay, OB_WHINT, OB_PCYCLE,
OB_STARTUP, OB_TIMEERROR, OB_Tod, Port, Rtm, SInt, Time, Time_Of_Day, UDInt,
UInt, USInt, and Word. PLC Tags of type Real can be accessed by slice, but data block tags
of type Real cannot.
63
Examples
In the PLC tag table, "DW" is a declared tag of type DWORD. The examples show bit, byte,
and word slice access:
LAD FBD SCL

Bit access IF "DW".x11 THEN
...
END_IF;
Byte access IF "DW".b2 = "DW".b3

THEN
...
END_IF;
Word access out:= "DW".w0 AND

"DW".w1;
4.4.4 Accessing a tag with an AT overlay

The AT tag overlay allows you to access an already-declared tag of a standard access block
with an overlaid declaration of a different data type. You can, for example, address the
individual bits of a tag of a Byte, Word, or DWord data type with an Array of Bool.
Declaration
To overlay a parameter, declare an additional parameter directly after the parameter that is
to be overlaid and select the data type "AT". The editor creates the overlay, and you can
then choose the data type, struct, or array that you wish to use for the overlay.
Example
This example shows the input parameters of a standard-access FB. The byte tag B1 is
overlaid with an array of Booleans:
64
Another example is a DWord tag overlaid with a Struct, which includes a Word, Byte, and
two Booleans:
The Offset column of the block interface shows the location of the overlaid data types
relative to the original tag.
You can addresss the overlay types directly in the program logic:
LAD FBD SCL

IF #OV[1] THEN
...
END_IF;
IF #DW1_Struct.W1 = W#16#000C THEN

...
END_IF;
out1 := #DW1_Struct.B1;
IF #OV[4] AND #DW1_Struct.BO2 THEN

...
END_IF;
Rules
● Overlaying of tags is only possible in FB and FC blocks with standard (not optimized)
access.
● You can overlay parameters for all block types and all declaration sections.
● You can use an overlaid parameter like any other block parameter.
● You cannot overlay parameters of type VARIANT.
● The size of the overlaying parameter must be less than or equal to the size of the overlaid
parameter.
● You must declare the overlaying variable immediately after the variable that it overlays
and select the keyword "AT" as the initial data type selection.
65
4.5 Pulse outputs
4.5 Pulse outputs

The CPU or signal board (SB) can be configured to provide four pulse generators for
controlling high-speed pulse output functions, either as pulse-width modulation (PWM) or as
pulse-train output (PTO). The basic motion instructions use PTO outputs. You can assign
each pulse generator to either PWM or PTO, but not both at the same time.
Pulse outputs cannot be used by other instructions in the

user program. When you configure the outputs of the
CPU or SB as pulse generators, the corresponding out-
put addresses are removed from the Q memory and can-
not be used for other purposes in your user program. If
your user program writes a value to an output used as a
pulse generator, the CPU does not write that value to the
physical output.
Note
Do not exceed the maximum pulse frequency.
The maximum pulse frequency of the pulse output generators is 1 MHz for the CPU 1217C
and 100 kHz for CPUs 1211C, 1212C, 1214C, and 1215C; 20 kHz (for a standard SB); or
200 kHz (for a high-speed SB).
The four pulse generators have default I/O assignments; however, they can be configured to
any digital output on the CPU or SB. Pulse generators on the CPU cannot be assigned to
distributed I/O.
When configuring the basic motion instructions, be aware that STEP 7 does not alert you if
you configure an axis with a maximum speed or frequency that exceeds this hardware
limitation. This could cause problems with your application, so always ensure that you do not
exceed the maximum pulse frequency of the hardware.
You can use onboard CPU outputs, or you can use the optional signal board outputs. The
output point numbers are shown in the following table (assuming the default output
configuration). If you have changed the output point numbering, then the output point
numbers will be those you assigned. Note that PWM requires only one output, while PTO
can optionally use two outputs per channel. If an output is not required for a pulse function, it
is available for other uses.
66
4.5 Pulse outputs
The four pulse generators have default I/O assignments; however, they can be configured to
any digital output on the CPU or SB. Pulse generators on the CPU cannot be assigned to
SMs or to distributed I/O.
Table 4- 5 Default output assignments for the pulse generators
Description Pulse Direction

PTO1
Built-in I/O Q0.0 Q0.1
SB I/O Q4.0 Q4.1
PWM1
Built-in outputs Q0.0 -
SB outputs Q4.0 -
PTO2
SB I/O Q4.2 Q4.3
PWM2
SB outputs Q4.2 -
PTO3
SB I/O Q4.0 Q4.1
PWM3
SB outputs Q4.1 -
PTO4
SB I/O Q4.2 Q4.3
PWM4
SB outputs Q4.3 -
1 The CPU 1211C does not have outputs Q0.4, Q0.5, Q0.6, or Q0.7. Therefore, these outputs can-
not be used in the CPU 1211C.
2 The CPU 1212C does not have outputs Q0.6 or Q0.7. Therefore, these outputs cannot be used in
the CPU 1212C.
3 This table applies to the CPU 1211C, CPU 1212C, CPU 1214C, CPU 1215C, and CPU 1217C
PTO/PWM functions.
67
4.5 Pulse outputs
68
Easy to create the device configuration 5
You create the device configuration for your PLC by adding a CPU and additional modules to
your project.
① Communications module (CM) or communication processor (CP): Up to 3, inserted in slots

101, 102, and 103
② CPU: Slot 1
③ Ethernet port of CPU
④ Signal board (SB), communication board (CB) or battery board (BB): up to 1, inserted in the
CPU
⑤ Signal module (SM) for digital or analog I/O: up to 8, inserted in slots 2 through 9
(CPU 1214C, CPU 1215C and CPU 1217C allow 8, CPU 1212C allows 2, CPU 1211C does
not allow any)
To create the device configuration, add a

device to your project.
• In the Portal view, select "Devices &
Networks" and click "Add device".
• In the Project view, under the project

name, double-click "Add new device".
69
Easy to create the device configuration
5.1 Uploading the configuration of a connected CPU

STEP 7 provides two methods for uploading the hardware configuration of a connected
CPU:
● Uploading the connected device as a new station
● Configuring an unspecified CPU and detecting the hardware configuration of the
connected CPU
Note, however, that the first method uploads both the hardware configuration and the
software of the connected CPU.
Uploading a device as a new station

To upload a connected device as a new station, follow these steps:
1. Expand your communications interface from the "Online access" node of the project tree.
2. Double-click "Update accessible devices".
3. Select the PLC from the detected devices.
4. From the Online menu of STEP 7, select the "Upload device as new station (hardware
and software)" menu command.
STEP 7 uploads both the hardware configuration and the program blocks.
70
Detecting the hardware configuration of an unspecified CPU
If you are connected to a CPU, you can upload the

configuration of that CPU, including any modules, to
your project. Simply create a new project and select
the "unspecified CPU" instead of selecting a specific
CPU. (You can also skip the device configuration en-
tirely by selecting the "Create a PLC program" from the
"First steps". STEP 7 then automatically creates an
unspecified CPU.)
From the program editor, you select the "Hardware
detection" command from the "Online" menu.
From the device configuration editor, you select the option for detecting the configuration of
the connected device.
After you select the CPU from the online dialog and click the Load button, STEP 7 uploads
the hardware configuration from the CPU, including any modules (SM, SB, or CM). You can
then configure the parameters for the CPU and the modules (Page 80).
71
5.2 Adding a CPU to the configuration
5.2 Adding a CPU to the configuration
You create your device configuration by inserting

a CPU into your project. Select the CPU in the
"Add a new device" dialog and click "OK" to add
the CPU to the project.
The Device view shows the

CPU and rack.
Selecting the CPU in the Device view

displays the CPU properties in the in-
spector window. Use these properties to
configure the operational parameters of
the CPU (Page 80).
Note
The CPU does not have a pre-configured IP address. You must manually assign an IP
address for the CPU during the device configuration. If your CPU is connected to a router on
the network, you also enter the IP address for a router.
72
5.3 Changing a device
5.3 Changing a device

You can change the device type of a configured CPU or module. From Device configuration,
right-click the device and select "Change device" from the context menu. From the dialog,
navigate to and select the CPU or module that you want to replace. The Change device
dialog shows you compatibility information between the two devices.
Note
Device exchange: replacing a V3.0 CPU with a V4.1 CPU
You can open a STEP 7 V12 project in STEP 7 V13 and replace V3.0 CPUs with V4.1
CPUs. You cannot replace CPUs that are from versions prior to V3.0. When you replace a
V3.0 CPU with a V4.1 CPU, consider the differences (Page 433) in features and behavior
between the two versions, and actions you must take.
If you have a project for a CPU version older than V3.0, you must first upgrade the CPU to
V3.0 and then upgrade it to V4.1.
73
5.4 Adding modules to the configuration
5.4 Adding modules to the configuration

Use the hardware catalog to add modules to the CPU:
● Signal module (SM) provides additional digital or analog I/O points. These modules are
connected to the right side of the CPU.
● Signal board (SB) provides just a few additional I/O points for the CPU. The SB is
installed on the front of the CPU.
● Battery Board 1297 (BB) provides long-term backup of the realtime clock. The BB is
installed on the front of the CPU.
● Communication board (CB) provides an additional communication port (such as RS485).
The CB is installed on the front of the CPU.
● Communication module (CM) and communication processor (CP) provide an additional
communication port, such as for PROFIBUS or GPRS. These modules are connected to
the left side of the CPU.
To insert a module into the device configuration, select the module in the hardware catalog
and either double-click or drag the module to the highlighted slot. You must add the modules
to the device configuration and download the hardware configuration to the CPU for the
modules to be functional.
Table 5- 1 Adding a module to the device configuration
Module Select the module Insert the module Result

SM
SB, BB
or CB
CM or
CP
74
5.5 Configuration control
With the "configuration control" feature (Page 79), you can add signal modules and signal
boards to your device configuration that might not correspond to the actual hardware for a
specific application, but that will be used in related applications that share a common user
program, CPU model, and perhaps some of the configured modules.
5.5 Configuration control

Configuration control can be a useful solution when you create an automation solution
(machine) that you intend to use with variations in multiple installations.
Configuration control with STEP 7 and the S7-1200 enables you to configure a maximum
configuration for a standard machine and to operate versions (options) that use a subset of
this configuration. The PROFINET with STEP 7 manual
(http://support.automation.siemens.com/WW/view/en/49948856) refers to these types of
projects as "standard machine projects".
You can load a STEP 7 device configuration and user program to different installed PLC
configurations. You only need to make a few easy adaptations to make the STEP 7 project
correspond to the actual installation.
A control data record that you program in the startup program block notifies the CPU as to
which modules are missing in the real installation as compared to the configuration or which
modules are located in different slots as compared to the configuration. Configuration control
does not have an impact on the parameter assignment of the modules.
Configuration control gives you the flexibility to vary the installation as long as you can derive
the real configuration from the maximum device configuration in STEP 7.
You can find instructions and examples for configuration control in the S7-1200
Programmable Controller System Manual.
75
5.6 Configuring the operation of the CPU and modules

To configure the operational parameters for the CPU, select the CPU in the Device view and
use the "Properties" tab of the inspector window.
You can configure the following CPU properties:

• PROFINET IP address and time
synchronization for the CPU
• Startup behavior of the CPU following an OFF-
to-ON power transition
• Local (on-board) digital and analog I/O, high-
speed counters (HSC), and pulse generators
• System clock (time, time zone and daylight
saving time)
• Read/write protection and password for
accessing the CPU
• Maximum cycle time or a fixed minimum cycle
time and communications load
• Web server properties
Configuring the STOP-to-RUN operation of the CPU

Whenever the operating state changes from STOP to RUN, the CPU clears the process
image inputs, initializes the process image outputs, and processes the startup OBs.
(Therefore, any read accesses to the process-image inputs by instructions in the startup OBs
will read zero rather than the current physical input value.) To read the current state of a
physical input during startup, you must perform an immediate read. The startup OBs and any
associated FCs and FBs are executed next. If more than one startup OB exists, each is
executed in order according to the OB number, with the lowest OB number executing first.
The CPU also performs the following tasks during the startup processing.
● Interrupts are queued but not processed during the startup phase
● No cycle time monitoring is performed during the startup phase
● Configuration changes to HSC (high-speed counter), PWM (pulse-width modulation), and
PtP (point-to-point communication) modules can be made in startup
● Actual operation of HSC, PWM, and point-to-point communication modules only occurs in
RUN
After the execution of the startup OBs finishes, the CPU goes to RUN mode and processes
the control tasks in a continuous scan cycle.
76
Use the CPU properties to configure how the CPU starts up after a power cycle.
• In STOP mode
• In RUN mode
• In the previous
mode (prior to the
power cycle)
The CPU performs a warm restart before going to RUN mode. Warm restart resets all non-
retentive memory to the default start values, but the CPU retains the current values stored in
the retentive memory.
Note
The CPU always performs a restart after a download
Whenever you download an element of your project (such as a program block, data block, or
hardware configuration), the CPU performs a restart on the next transition to RUN mode. In
addition to clearing the inputs, initializing the outputs and initializing the non-retentive
memory, the restart also initializes the retentive memory areas.
After the restart that follows a download, all subsequent STOP-to-RUN transitions perform a
warm restart (that does not initialize the retentive memory).
77
5.6.1 System memory and clock memory provide standard functionality

You use the CPU properties to enable bytes for "system memory" and "clock memory". Your
program logic can reference the individual bits of these functions by their tag names.
● You can assign one byte in M memory for system memory. The byte of system memory
provides the following four bits that can be referenced by your user program by the
following tag names:
– First cycle: (Tag name "FirstScan") bit is set to1 for the duration of the first scan after
the startup OB finishes. (After the execution of the first scan, the "first scan" bit is set
to 0.)
– Diagnostics status changed: (Tag name: "DiagStatusUpdate") is set to 1 for one scan
after the CPU logs a diagnostic event. Because the CPU does not set the
"DiagStatusUpdate" bit until the end of the first execution of the program cycle OBs,
your user program cannot detect if there has been a diagnostic change either during
the execution of the startup OBs or the first execution of the program cycle OBs.
– Always 1 (high): (Tag name "AlwaysTRUE") bit is always set to 1.
– Always 0 (low): (Tag name "AlwaysFALSE") bit is always set to 0.
● You can assign one byte in M memory for clock memory. Each bit of the byte configured
as clock memory generates a square wave pulse. The byte of clock memory provides 8
different frequencies, from 0.5 Hz (slow) to 10 Hz (fast). You can use these bits as control
bits, especially when combined with edge instructions, to trigger actions in the user
program on a cyclic basis.
The CPU initializes these bytes on the transition from STOP mode to STARTUP mode. The
bits of the clock memory change synchronously to the CPU clock throughout the STARTUP
and RUN modes.
CAUTION
Risks with overwriting the system memory or clock memory bits
Overwriting the system memory or clock memory bits can corrupt the data in these
functions and cause your user program to operate incorrectly, which can cause damage to
equipment and injury to personnel.
Because both the clock memory and system memory are unreserved in M memory,
instructions or communications can write to these locations and corrupt the data.
Avoid writing data to these locations to ensure the proper operation of these functions, and
always implement an emergency stop circuit for your process or machine.
78
System memory configures a byte with bits that turn on (value = 1) for a specific event.
Table 5- 2 System memory
7 6 5 4 3 2 1 0
Reserved Always off Always on Diagnostic status indica- First scan indicator
Value 0 Value 0 Value 1 tor
• 1: First scan after
• 1: Change startup
• 0: No change • 0: Not first scan
Clock memory configures a byte that cycles the individual bits on and off at fixed intervals.
Each clock bit generates a square wave pulse on the corresponding M memory bit. These
bits can be used as control bits, especially when combined with edge instructions, to trigger
actions in the user code on a cyclic basis.
Table 5- 3 Clock memory
Bit number 7 6 5 4 3 2 1 0
Tag name
Period (s) 2.0 1.6 1.0 0.8 0.5 0.4 0.2 0.1
Frequency (Hz) 0.5 0.625 1 1.25 2 2.5 5 10
Because clock memory runs asynchronously to the CPU cycle, the status of the clock memory can
change several times during a long cycle.
79
Configuring the operation of the I/O and communication modules

To configure the operational parameters for the signal module (SM), signal board (SB), or
communication module (CM), select the module in the Device view and use the "Properties"
tab of the inspector window.
Signal module (SM) and signal board (SB)

• Digital I/O: Configure the individual inputs, such as
for Edge detection and "pulse catch" (to stay on or
off for one scan after a momentary high- or low
pulse). Configure the outputs to use a freeze or
substitute value on a transition from RUN mode to
STOP mode.
● Analog I/O: Configure the parameters for individual inputs (such as voltage / current,
range and smoothing) and also enable underflow or overflow diagnostics. Configure the
parameters for individual analog outputs and enable diagnostics, such as short-circuit (for
voltage outputs) or overflow values.
● I/O addresses: Configure the start address for the set of inputs and outputs of the
module.
Communication module (CM) and communication

board (CB)
• Port configuration: Configure the communication
parameters, such as baud rate, parity, data bits,
stop bits, and wait time.
● Transmit and receive message: Configure options related to transmitting and receiving
data (such as the message-start and message-end parameters)
You can also change these configuration parameters with your user program.
80
5.7 Configuring the IP address of the CPU

Because the CPU does not have a pre-configured IP address, you must manually assign an
IP address. You configure the IP address and the other parameters for the PROFINET
interface when you configure the properties for the CPU.
● In a PROFINET network, each device is assigned a unique Media Access Control
address (MAC address) by the manufacturer for identification. Each device must also
have an IP address.
● A subnet is a logical grouping of connected network devices. A mask (also known as the
subnet mask or network mask) defines the boundaries of a subnet. The only connection
between different subnets is via a router. Routers are the link between LANs and rely on
IP addresses to deliver and receive data packets.
Before you can download an IP address to the CPU, you must ensure that the IP address for
your CPU is compatible with the IP address of your programming device.
You can use STEP 7 to determine the IP address of your programming device:
1. Expand the "Online access" folder in the Project tree to display your networks.
2. Select the network that connects to the CPU.
3. Right-click the specific network to display the context menu.
4. Select the "Properties" command.
Note
The IP address for the CPU must be compatible with the IP address and subnet mask for
the programming device. Consult your network specialist for a suitable IP address and
subnet mask for your CPU.
81
The "Properties" window displays

the settings for the programming
device.
After determining the IP address

and subnet mask for the CPU,
enter the IP address for the CPU
and for the router (if applicable).
Refer to the S7-1200 Program-
mable Controller System Manual
for more information.
After completing the configuration,

download the project to the CPU.
The IP addresses for the CPU and
for the router (if applicable) are con-
figured when you download the
project.
82
5.8 Protecting access to the CPU or code block is easy

The CPU provides four levels of security for restricting access to specific functions. When
you configure the security level and password for a CPU, you limit the functions and memory
areas that can be accessed without entering a password.
Each level allows certain functions to be accessible without a password. The default
condition for the CPU is to have no restriction and no password-protection. To restrict access
to a CPU, you configure the properties of the CPU and enter the password.
Entering the password over a network does not compromise the password protection for the
CPU. Password protection does not apply to the execution of user program instructions
including communication functions. Entering the correct password provides access to all of
the functions at that level.
PLC-to-PLC communications (using communication instructions in the code blocks) are not
restricted by the security level in the CPU.
Table 5- 4 Security levels for the CPU
Security level Access restrictions

Full access (no Allows full access without password protection.
protection)
Read access Allows HMI access and all forms of PLC-to-PLC communications without pass-
word protection.
Password is required for modifying (writing to) the CPU and for changing the
CPU mode (RUN/STOP).
HMI access Allows HMI access and all forms of PLC-to-PLC communications without pass-
word protection.
Password is required for reading the data in the CPU, for modifying (writing to)
the CPU, and for changing the CPU mode (RUN/STOP).
No access (com- Allows no access without password protection.
plete protection) Password is required for HMI access, reading the data in the CPU, and for mod-
ifying (writing to) the CPU.
Passwords are case-sensitive. To configure the protection level and passwords, follow these
steps:
1. In the "Device configuration", select the CPU.
2. In the inspector window, select the "Properties" tab.
3. Select the "Protection" property to select the protection level and to enter passwords.
83
When you download this configuration to the CPU, the user has HMI access and can access
HMI functions without a password. To read data, the user must enter the configured
password for "Read access" or the password for "Full access (no protection)". To write data,
the user must enter the configured password for "Full access (no protection)".
WARNING
Unauthorized access to a protected CPU
Users with CPU full access privileges have privileges to read and write PLC variables.
Regardless of the access level for the CPU, Web server users can have privileges to read
and write PLC variables. Unauthorized access to the CPU or changing PLC variables to
invalid values could disrupt process operation and could result in death, severe personal
injury and/or property damage.
Authorized users can perform operating mode changes, writes to PLC data, and firmware
updates. Siemens recommends that you observe the following security practices:
• Password protect CPU access levels and Web server user IDs (Page 254) with strong
passwords. Strong passwords are at least ten characters in length, mix letters, numbers,
and special characters, are not words that can be found in a dictionary, and are not
names or identifiers that can be derived from personal information. Keep the password
secret and change it frequently.
• Enable access to the Web server only with the HTTPS protocol.
• Do not extend the default minimum privileges of the Web server "Everybody" user.
• Perform error-checking and range-checking on your variables in your program logic
because Web page users can change PLC variables to invalid values.
Connection mechanisms
To access remote connection partners with PUT/GET instructions, the user must also have
permission.
By default, the "Permit access with PUT/GET communication" option is not enabled. In this
case, read and write access to CPU data is only possible for communication connections
that require configuration or programming both for the local CPU and for the communication
partner. Access through BSEND/BRCV instructions is possible, for example.
Connections for which the local CPU is only a server (meaning that no
configuration/programming of the communication with the communication partner exists at
the local CPU), are therefore not possible during operation of the CPU, for example:
● PUT/GET, FETCH/WRITE or FTP access through communication modules
● PUT/GET access from other S7 CPUs
● HMI access through PUT/GET communication
84
If you want to allow access to CPU data from the client side, that is, you do not want to
restrict the communication services of the CPU, follow these steps:
1. Configure the protection access level to be any level other than "No access (complete
protection)".
2. Select the "Permit access with PUT/GET communication" check box.
When you download this configuration to the CPU, the CPU permits PUT/GET
communication from remote partners
5.8.1 Know-how protection

Know-how protection allows you to prevent one or more code blocks (OB, FB, FC, or DB) in
your program from unauthorized access. You create a password to limit access to the code
block. The password-protection prevents unauthorized reading or modification of the code
block. Without the password, you can read only the following information about the code
block:
● Block title, block comment, and block properties
● Transfer parameters (IN, OUT, IN_OUT, Return)
● Call structure of the program
● Global tags in the cross references (without information on the point of use), but local
tags are hidden
When you configure a block for "know-how" protection, the code within the block cannot be
accessed except after entering the password.
Use the "Properties" task card of the code block to configure the know-how protection for
that block. After opening the code block, select "Protection" from Properties.
85
1. In the Properties for the code block, click

the "Protection" button to display the
"Know-how protection" dialog.
2. Click the "Define" button to enter the
password.
After entering and confirming the password,

click "OK".
5.8.2 Copy protection

An additional security feature allows you to bind program blocks for use with a specific
memory card or CPU. This feature is especially useful for protecting your intellectual
property. When you bind a program block to a specific device, you restrict the program or
code block for use only with a specific memory card or CPU. This feature allows you to
distribute a program or code block electronically (such as over the Internet or through email)
or by sending a memory cartridge. Copy protection is available for OBs (Page 95), FBs
(Page 97), and FCs (Page 97). The S7-1200 CPU supports three types of block protection:
● Binding to the serial number of a CPU
● Binding to the serial number of a memory card
● Dynamic binding with mandatory password
86
Use the "Properties" task card of the code block to bind the block to a specific CPU or
memory card.
1. After opening the code block, select "Protection".
2. From the drop-down list under "Copy protection" task, select the type of copy protection
that you want to use.
3. For binding to the serial number of a CPU or memory card, select either to insert the
serial number when downloading, or enter the serial number for the memory card or
CPU.
Note
The serial number is case-sensitive.
For dynamic binding with mandatory password, define the password that you must use to
download or copy the block.
When you subsequently download a block with dynamic binding, you must enter the
password to be able to download the block. Note that the copy protection password and
the know-how protection (Page 89) password are two separate passwords.
87
88
Programming made easy 6
6.1 Easy to design your user program
When you create a user program for the automation tasks, you insert the instructions for the
program into code blocks (OB, FB, or FC).
Choosing the type of structure for your user program

Based on the requirements of your application, you can choose either a linear structure or a
modular structure for creating your user program.
● A linear program executes all of the instructions for your automation tasks in sequence,
one after the other. Typically, the linear program puts all of the program instructions into
one program cycle OB (such as OB 1) for cyclic execution of the program.
● A modular program calls specific code blocks that perform specific tasks. To create a
modular structure, you divide the complex automation task into smaller subordinate tasks
that correspond to the functional tasks being performed by the process. Each code block
provides the program segment for each subordinate task. You structure your program by
calling one of the code blocks from another block.
Linear structure: Modular structure:
By designing FBs and FCs to perform generic tasks, you create modular code blocks. You
then structure your user program by having other code blocks call these reusable modules.
The calling block passes device-specific parameters to the called block. When a code block
calls another code block, the CPU executes the program code in the called block. After
execution of the called block is complete, the CPU resumes the execution of the calling
block. Processing continues with execution of the instruction that follows after the block call.
89
Programming made easy
You can also assign an OB to an interrupting event. When the event occurs, the CPU
executes the program code in the associated OB. After the execution of the OB is complete,
the CPU resumes the execution at the point in the user program when the interrupting event
occurred, which could be any point in the scan.
A Calling block (or interrupted block)

B Called FB or BC (or interrupting OB)
① Program execution
② Instruction (or interrupting event) that initiates
the execution of another block
③ Program execution
④ Block end (returns to calling block)
You can nest the block calls for a more modular structure. In the following example, the
nesting depth is 3: the program cycle OB plus 3 layers of calls to code blocks.
① Start of cycle
② Nesting depth
By creating generic code blocks that can be reused within the user program, you can simplify
the design and implementation of the user program.
● You can create reusable blocks of code for standard tasks, such as for controlling a pump
or a motor. You can also store these generic code blocks in a library that can be used by
different applications or solutions.
● When you structure the user program into modular components that relate to functional
tasks, the design of your program can be easier to understand and to manage. The
modular components not only help to standardize the program design but can also help
to make updating or modifying the program code quicker and easier.
● Creating modular components simplifies the debugging of your program. By structuring
the complete program as a set of modular program segments, you can test the
functionality of each code block as it is developed.
● Utilizing a modular design that relates to specific functional tasks can reduce the time
required for the commissioning of the completed application.
90
6.1.1 Use OBs for organizing your user program

Organization blocks provide structure for your program. They serve as the interface between
the operating system and the user program. OBs are event driven. An event, such as a
diagnostic interrupt or a time interval, causes the CPU to execute an OB. Some OBs have
predefined start events and behavior.
The program cycle OB contains your main program. You can include more than one program
cycle OB in your user program. During RUN mode, the program cycle OBs execute at the
lowest priority level and can be interrupted by all other event types. The startup OB does not
interrupt the program cycle OB because the CPU executes the startup OB before going to
RUN mode.
After finishing the processing of the program cycle OBs, the CPU immediately executes the
program cycle OBs again. This cyclic processing is the "normal" type of processing used for
programmable logic controllers. For many applications, the entire user program is located in
a single program cycle OB.
You can create other OBs to perform specific functions, such as for handling interrupts and
errors, or for executing specific program code at specific time intervals. These OBs interrupt
the execution of the program cycle OBs.
Use the "Add new block" dialog to create new OBs in your user program.
Interrupt handling is always

event-driven. When such
an event occurs, the CPU
interrupts the execution of
the user program and calls
the OB that was configured
to handle that event. After
finishing the execution of
the interrupting OB, the
CPU resumes the execu-
tion of the user program at
the point of interruption.
The CPU determines the order for handling interrupt events by priority. You can assign
multiple interrupt events to the same priority class. For more information, refer to the topics
on organization blocks (Page 57) and execution of the user program (Page 56).
91
Creating additional OBs

You can create multiple OBs for your user program, even for the program cycle and startup
OB events. Use the "Add new block" dialog to create an OB and enter a name for your OB.
If you create multiple program cycle OBs for your user program, the CPU executes each
program cycle OB in numerical sequence, starting with the program cycle OB with the lowest
number (such as OB 1). For example: after the first program cycle OB (such as OB 1)
finishes, the CPU executes the program cycle OB with the next higher number.
Configuring the properties of an OB

You can modify the properties of an OB. For example, you can configure the OB number or
programming language.
Note
Note that you can assign a process image part number to an OB that corresponds to PIP0,
PIP1, PIP2, PIP3, or PIP4. If you enter a number for the process image part number, the
CPU creates that process image partition. See the topic "Execution of the user program
(Page 56)" for an explanation of the process image partitions.
92
6.1.2 FBs and FCs make programming the modular tasks easy
A function (FC) is like a subroutine. An FC is a code block that typically performs a specific
operation on a set of input values. The FC stores the results of this operation in memory
locations. Use FCs to perform the following tasks:
● To perform standard and reusable operations, such as for mathematical calculations
● To perform functional tasks, such as for individual controls using bit logic operations
An FC can also be called several times at different points in a program. This reuse simplifies
the programming of frequently recurring tasks.
Unlike an FB, an FC does not have an associated instance DB. The FC uses its temp
memory (L) for the data used to calculate the operation. The temporary data is not saved. To
store data for use after the execution of the FC has finished, assign the output value to a
global memory location, such as M memory or to a global DB.
A function block (FB) is like a subroutine with memory. An FB is a code block whose calls
can be programmed with block parameters. The FB stores the input (IN), output (OUT), and
in/out (IN_OUT) parameters in variable memory that is located in a data block (DB), or
"instance" DB. The instance DB provides a block of memory that is associated with that
instance (or call) of the FB and stores data after the FB finishes.
You typically use an FB to control the operation for tasks or devices that do not finish their
operation within one scan cycle. To store the operating parameters so that they can be
quickly accessed from one scan to the next, each FB in your user program has one or more
instance DBs. When you call an FB, you also open an instance DB that stores the values of
the block parameters and the static local data for that call or "instance" of the FB. These
values are stored in the instance DB after the FB finishes.
You can assign start values to the parameters in the FB interface. These values are
transferred to the associated instance DB. If you do not assign parameters, the values
currently stored in the instance DB will be used. In some cases, you must assign
parameters.
You can associate different instance DBs with different calls of the FB. The instance DBs
allow you to use one generic FB to control multiple devices. You structure your program by
having one code block make a call to an FB and an instance DB. The CPU then executes
the program code in that FB and stores the block parameters and the static local data in the
instance DB. When the execution of the FB finishes, the CPU returns to the code block that
called the FB. The instance DB retains the values for that instance of the FB. By designing
the FB for generic control tasks, you can reuse the FB for multiple devices by selecting
different instance DBs for different calls of the FB.
The following figure shows an OB that calls one FB three times, using a different data block
for each call. This structure allows one generic FB to control several similar devices, such as
motors, by assigning a different instance data block for each call for the different devices.
93
Each instance DB stores the data (such as speed, ramp-up time, and total operating time)
for an individual device. In this example, FB 22 controls three separate devices, with DB 201
storing the operational data for the first device, DB 202 storing the operational data for the
second device, and DB 203 storing the operational data for the third device.
6.1.3 Data blocks provide easy storage for program data

You create data blocks (DB) in your user program to store data for the code blocks. All of the
program blocks in the user program can access the data in a global DB, but an instance DB
stores data for a specific function block (FB).
Your user program can store data in the specialized memory areas of the CPU, such as for
the inputs (I), outputs (Q), and bit memory (M). In addition, you can use a data block (DB) for
fast access to data stored within the program itself.
The data stored in a DB is not deleted when the data block is closed or the execution of the
associated code block comes to an end. There are two types of DBs:
● A global DB stores data for the code blocks in your program. Any OB, FB, or FC can
access the data in a global DB.
● An instance DB stores the data for a specific FB. The structure of the data in an instance
DB reflects the parameters (Input, Output, and InOut) and the static data for the FB. The
Temp memory for the FB is not stored in the instance DB.
Although the instance DB reflects the data for a specific FB, any code block can access the
data in an instance DB.
94
6.1.4 Creating a new code block

To add a new code block to the program, follow these steps:
1. Open the "Program blocks" folder.
2. Double-click "Add new block".
3. In the "Add new block" dialog, click the type of block to add. For example, click the
"Function (FC)" icon to add an FC.
4. Select the programming language for the code block from the drop-down menu.
5. Click "OK" to add the block to the project.

Selecting the "Add new and open" option (default) causes STEP 7 to open the newly-created
block in the editor.
95
6.1.5 Creating reusable code blocks
Use the "Add new block"

dialog under "Program
blocks" in the Project navi-
gator to create OBs, FBs,
FCs, and global DBs.
When you create a code
block, you select the pro-
gramming language for the
block. You do not select a
language for a DB because
it only stores data.
Selecting the "Add new
and open" check box (de-
fault) opens the code block
in the Project view.
You can store objects you want to reuse in libraries. For each project, there is a project
library that is connected to the project. In addition to the project library, you can create any
number of global libraries that can be used over several projects. Since the libraries are
compatible with each other, library elements can be copied and moved from one library to
another.
Libraries are used, for example, to create templates for blocks that you first paste into the
project library and then further develop there. Finally, you copy the blocks from the project
library to a global library. You make the global library available to other colleagues working
on your project. They use the blocks and further adapt them to their individual requirements,
where necessary.
For details about library operations, refer to the STEP 7 online Help library topics.
96
6.2 Easy-to-use programming languages
6.1.6 Calling a code block from another code block
You can easily have any code block (OB,

FB, or FC) in your user program call an FB
or FC in your CPU.
1. Open the code block that will call the other block.
2. In the project tree, select the code block to be called.
3. Drag the block to the selected network to create a call to the code block.
Note
Your user program cannot call an OB because OBs are event-driven (Page 58). The CPU
starts the execution of the OB in response to receiving an event.

STEP 7 provides the following standard programming languages for S7-1200:
● LAD (ladder logic) is a graphical programming language. The representation is based on
circuit diagrams (Page 102).
● FBD (Function Block Diagram) is a programming language that is based on the graphical
logic symbols used in Boolean algebra (Page 103).
● SCL (structured control language) is a text-based, high-level programming language
(Page 103).
When you create a code block, you select the programming language to be used by that
block.
Your user program can utilize code blocks created in any or all of the programming
languages.
97
6.2.1 Ladder logic (LAD)

The elements of a circuit diagram, such as normally closed and normally open contacts, and
coils are linked to form networks.
To create the logic for complex operations, you can insert branches to create the logic for
parallel circuits. Parallel branches are opened downwards or are connected directly to the
power rail. You terminate the branches upwards.
LAD provides "box" instructions for a variety of functions, such as math, timer, counter, and
move.
STEP 7 does not limit the number of instructions (rows and columns) in a LAD network.
Note
Every LAD network must terminate with a coil or a box instruction.
Consider the following rules when creating a LAD network:

● You cannot create a branch that could result in a power flow in the reverse direction.
● You cannot create a branch that would cause a short circuit.
98
6.2.2 Function Block Diagram (FBD)

Like LAD, FBD is also a graphical programming language. The representation of the logic is
based on the graphical logic symbols used in Boolean algebra.
To create the logic for complex operations,

insert parallel branches between the boxes.
Mathematical functions and other complex functions can be represented directly in

conjunction with the logic boxes.
STEP 7 does not limit the number of instructions (rows and columns) in an FBD network.
6.2.3 SCL overview

Structured Control Language (SCL) is a high-level, PASCAL-based programming language
for the SIMATIC S7 CPUs. SCL supports the block structure of STEP 7. You can also
include program blocks written in SCL with program blocks written in LAD and FBD.
SCL instructions use standard programming operators, such as for assignment (:=),
mathematical functions (+ for addition, - for subtraction, * for multiplication, and / for division).
SCL uses standard PASCAL program control operations, such as IF-THEN-ELSE, CASE,
REPEAT-UNTIL, GOTO and RETURN. You can use any PASCAL reference for syntactical
elements of the SCL programming language. Many of the other instructions for SCL, such as
timers and counters, match the LAD and FBD instructions.
Because SCL, like PASCAL, offers conditional processing, looping, and nesting control
structures, you can implement complex algorithms in SCL more easily than in LAD or FBD.
The following examples show different expressions for different uses:

"C" := #A+#B; Assigns two local variables to a tag
"Data_block_1".Tag := #A; Assignment to a data block tag
IF #A > #B THEN "C" := #A; Condition for the IF-THEN statement
"C" := SQRT (SQR (#A) + SQR (#B)); Parameters for the SQRT instruction
As a high-level programming language, SCL uses standard statements for basic tasks:
● Assignment statement: :=
● Mathematical functions: +, -, *, and /
● Addressing of global variables (tags): "<tag name>" (Tag name or data block name
enclosed in double quotes)
● Addressing of local variables: #<variable name> (Variable name preceded by "#" symbol)
● Absolute addressing: %<absolute address>, for example %I0.0 or %MW10
Arithmetic operators can process various numeric data types. The data type of the result is
determined by the data type of the most-significant operands. For example, a multiplication
operation that uses an INT operand and a REAL operand yields a REAL value for the result.
99
6.2.4 SCL program editor

You can designate any type of block (OB, FB, or FC) to use the SCL programming language
at the time you create the block. STEP 7 provides an SCL program editor that includes the
following elements:
● Interface section for defining the parameters of the code block
● Code section for the program code
● Instruction tree that contains the SCL instructions supported by the CPU
You enter the SCL code for your instruction directly in the code section. The editor includes
buttons for common code constructs and comments. For more complex instructions, simply
drag the SCL instructions from the instruction tree and drop them into your program. You can
also use any text editor to create an SCL program and then import that file into STEP 7.
In the Interface section of the SCL code block you can declare the following types of
parameters:
● Input, Output, InOut, and Ret_Val: These parameters define the input tags, output tags,
and return value for the code block. The tag name that you enter here is used locally
during the execution of the code block. You typically would not use the global tag name in
the tag table.
● Static (FBs only; the illustration above is for an FC): The code block uses static tags for
storage of static intermediate results in the instance data block. The block retains static
data until overwritten, which can be after several cycles. The names of the blocks, which
this block calls as multi-instance, are also stored in the static local data.
● Temp: These parameters are the temporary tags that are used during the execution of
the code block.
● Constant: These are named constant values for your code block.
100
6.3 Powerful instructions make programming easy
If you call the SCL code block from another code block, the parameters of the SCL code
block appear as inputs or outputs.
In this example, the tags for "Start" and "On" (from the project tag table) correspond to
"StartStopSwitch" and "RunYesNo" in the declaration table of the SCL program.
6.3.1 Providing the basic instructions you expect

The S7-1200 CPU supports many instructions. They are available from the instruction tree in
STEP 7 in the following groups:
● Basic instructions
● Extended instructions
● Technology
● Communication instruction
You can find a complete summary of all the instructions in the S7-1200 Programmable
Controller System Manual. This manual describes many of the common instructions.
Bit logic instructions

The basis of bit logic instructions is contacts and coils. Contacts read the status of a bit,
while the coils write the status of the operation to a bit.
Contacts test the binary status of

the bit, with the result being "power
flow" if on (1) or "no power flow" if
off (0).
The state of the coil reflects the
status of the preceding logic.
If you use a coil with the same address in more than one program location, the result of the
last calculation in the user program determines the status of the value that is written to the
physical output during the updating of the outputs.
Normally Open Normally Closed The Normally Open contact is closed (ON) when
Contact Contact the assigned bit value is equal to 1.
The Normally Closed contact is closed (ON) when
the assigned bit value is equal to 0.
101
The basic structure of a bit logic operation is either AND logic or OR logic. Contacts
connected in series create AND logic networks. Contacts connected in parallel create OR
logic networks.
You can connect contacts to other contacts and create your own combination logic. If the
input bit you specify uses memory identifier I (input) or Q (output), then the bit value is read
from the process-image register. The physical contact signals in your control process are
wired to input terminals on the PLC. The CPU scans the wired input signals and updates the
corresponding state values in the process-image input register.
You can specify an immediate read of a physical input using ":P" following the tag for an
input (such as "Motor_Start:P" or "I3.4:P"). For an immediate read, the bit data values are
read directly from the physical input instead of the process image. An immediate read does
not update the process image.
Output coil Inverted output coil
Note the following output results for power flow through output and inverted output coils:
● If there is power flow through an output coil, then the output bit is set to 1.
● If there is no power flow through an output coil, then the output coil bit is set to 0.
● If there is power flow through an inverted output coil, then the output bit is set to 0.
● If there is no power flow through an inverted output coil, then the output bit is set to 1.
The coil output instruction writes a value for an output bit. If the output bit you specify uses
memory identifier Q, then the CPU turns the output bit in the process-image register on or
off, setting the specified bit equal to power flow status. The output signals for your control
actuators are wired to the output terminals on the PLC. In RUN mode, the CPU system
scans your input signals, processes the input states according to your program logic, and
then reacts by setting new output state values in the process-image output register. After
each program execution cycle, the CPU transfers the new output state reaction stored in the
process-image register to the wired output terminals.
You can specify an immediate write of a physical output using ":P" following the tag for an
output (such as "Motor_On:P" or "Q3.4:P"). For an immediate write, the bit data values are
written to the process image output and directly to the physical output.
Coils are not restricted to the end of a network. You can insert a coil in the middle of a rung
of the LAD network, in between contacts or other instructions.
NOT contact inverter AND box with one inverted AND box with inverted logic input and
(LAD) logic input (FBD) output (FBD)
The LAD NOT contact inverts the logical state of power flow input.
● If there is no power flow into the NOT contact, then there is power flow out.
● If there is power flow into the NOT contact, then there is no power flow out.
102
For FBD programming, you can drag the "Invert RLO" tool from the "Favorites" toolbar or
instruction tree and then drop it on an input or output to create a logic inverter on that box
connector.
AND box (FBD) OR box (FBD) XOR box (FBD)
● All inputs of an AND box must be TRUE for the output to be TRUE.
● Any input of an OR box must be TRUE for the output to be TRUE.
● An odd number of the inputs of an XOR box must be TRUE for the output to be TRUE.
In FBD programming, the contact networks of LAD are represented by AND (&), OR (>=1),
and EXCLUSIVE OR (x) box networks where you can specify bit values for the box inputs
and outputs. You may also connect to other logic boxes and create your own logic
combinations. After the box is placed in your network, you can drag the "Insert input" tool
from the "Favorites" toolbar or instruction tree and then drop it onto the input side of the box
to add more inputs. You can also right-click on the box input connector and select "Insert
input".
Box inputs and output can be connected to another logic box, or you can enter a bit address
or bit symbol name for an unconnected input. When the box instruction is executed, the
current input states are applied to the binary box logic and, if true, the box output will be true.
103
6.3.2 Comparator and Move instructions

The Comparator operations perform a comparison of two values with the same data type.
Table 6- 1 Comparator operations
Instruction SCL Description

LAD: out := in1 = in2; • Equal (==):The comparison is true if IN1 is equal to
out := in1 <> in2; IN2
out := in1 >= in2;
• Not equal (<>):The comparison is true if IN1 is not
out := in1 <= in2;
equal to IN2
out := in1 > in2;
out := in1 < in2; • Greater or equal (>=):The comparison is true if IN1 is
FBD:
greater than or equal to IN2
• Less or equal (<=):The comparison is true if IN1 is
less than or equal to IN2
• Greater than (>):The comparison is true if IN1 is
greater than IN2
• Less than (<):The comparison is true if IN1 is less
than IN2
1 For LAD and FBD: The contact is activated (LAD) or the box output is TRUE (FBD) if the comparison is TRUE,
For additional Comparator operations, refer to the S7-1200 Programmable Controller System
Manual.
The Move operations copy data elements to a new memory address and can convert from
one data type to another. The source data is not changed by the move process.
● MOVE copies a data element stored at a specified address to a new address. To add
another output, click the icon next to the OUT1 parameter.
● MOVE_BLK (interruptible move) and UMOVE_BLK (uninterruptible move) copy a block of
data elements to a new address. The MOVE_BLK and UMOVE_BLK instructions have an
additional COUNT parameter. The COUNT specifies how many data elements are
copied. The number of bytes per element copied depends on the data type assigned to
the IN and OUT parameter tag names in the PLC tag table.
104
Table 6- 2 MOVE, MOVE_BLK and UMOVE_BLK instructions
LAD / FBD SCL Description

out1 := in; Copies a data element stored at a specified
address to a new address or multiple address-
es. To add another output in LAD or FBD, click
the icon by the output parameter. For SCL, use
multiple assignment statements. You might
also use one of the loop constructions.
MOVE_BLK(in:=_variant_in, Interruptible move that copies a block of data
count:=_uint_in, elements to a new address.
out=>_variant_out);
UMOVE_BLK(in:=_variant_in, Uninterruptible move that copies a block of

count:=_uint_in data elements to a new address.
out=>_variant_out);
For additional Move operations, refer to the S7-1200 System Manual.
6.3.3 Conversion operations
Table 6- 3 Conversion operations

out := <data type in>_TO_<data type Converts a data element from one data type to
out>(in); another data type.
1 For LAD and FBD: Click below the box name and select the data types from the drop-down menu. After you select the
(convert from) data type, a list of possible conversions is shown in the (convert to) dropdown list.
2 For SCL: Construct the conversion instruction by identifying the data type for the input parameter (in) and output pa-
rameter (out). For example, DWORD_TO_REAL converts a DWord value to a Real value.
105
Table 6- 4 Round and Truncate instructions

out := ROUND (in); Converts a real number (Real or LReal) to an integer. The instruction
rounds the real number to the nearest integer value (IEEE - round to
nearest). If the number is exactly one-half the span between two inte-
gers (for example, 10.5), then the instruction rounds the number to the
even integer. For example:
• ROUND (10.5) = 10
• ROUND (11.5) = 12
For LAD/FBD, you click the "???" in the instruction box to select the
data type for the output, for example, "DInt". For SCL, the default output
data type is DINT. To round to another output data type, enter the in-
struction name with the explicit name of the data type, for example,
ROUND_REAL or ROUND_LREAL.
out := TRUNC(in); Converts a real number (Real or LReal) to an integer. The fractional
part of the real number is truncated to zero (IEEE - round to zero).
Table 6- 5 Ceiling (CEIL) and Floor instructions

out := CEIL(in); Converts a real number (Real or LReal) to the closest integer greater
than or equal to the selected real number (IEEE "round to +infinity").
out := FLOOR(in); Converts a real number (Real or LReal) to the closest integer smaller
than or equal to the selected real number (IEEE "round to -infinity").
106
Table 6- 6 SCALE_X and NORM_X instructions

out := SCALE_X( Scales the normalized real parameter VALUE where ( 0.0
min:=_in_, <= VALUE <= 1.0 ) in the data type and value range spec-
value:=_in_, ified by the MIN and MAX parameters:
max:=_in_); OUT = VALUE (MAX - MIN) + MIN
out := NORM_X( Normalizes the parameter VALUE inside the value range
min:=_in_, specified by the MIN and MAX parameters:
value:=_in_, OUT = (VALUE - MIN) / (MAX - MIN),
max:=_in_); where ( 0.0 <= OUT <= 1.0 )
1 Equivalent SCL: out := value (max-min) + min;2 Equivalent SCL: out := (value-min)/(max-min);
6.3.4 Math made easy with the Calculate instruction
Table 6- 7 CALCULATE instruction

Use the stand- The CALCULATE instruction lets you create a math function that oper-
ard SCL math ates on inputs (IN1, IN2, .. INn) and produces the result at OUT, ac-
expressions to cording to the equation that you define.
create the equa-
• Select a data type first. All inputs and the output must be the same
tion.
data type.
• To add another input, click the icon at the last input.
Table 6- 8 Data types for the parameters
Parameter Data type1

IN1, IN2, ..INn SInt, Int, DInt, USInt, UInt, UDInt, Real, LReal, Byte, Word, DWord
OUT SInt, Int, DInt, USInt, UInt, UDInt, Real, LReal, Byte, Word, DWord
1 The IN and OUT parameters must be the same data type (with implicit conversions of the input parameters). For exam-
ple: A SINT value for an input would be converted to an INT or a REAL value if OUT is an INT or REAL
107
Click the calculator icon to open the dialog and define your math function. You enter your
equation as inputs (such as IN1 and IN2) and operations. When you click "OK" to save the
function, the dialog automatically creates the inputs for the CALCULATE instruction.
The dialog shows an example and a list of possible instructions that you can include based
on the data type of the OUT parameter:
Note
You also must create an input for any constants in your function. The constant value would
then be entered in the associated input for the CALCULATE instruction.
By entering constants as inputs, you can copy the CALCULATE instruction to other locations
in your user program without having to change the function. You then can change the values
or tags of the inputs for the instruction without modifying the function.
When CALCULATE is executed and all the individual operations in the calculation complete
successfully, then the ENO = 1. Otherwise, ENO = 0.
For an example of the CALCULATE instruction, see "Use the CALCULATE instruction for a
complex mathematical equation (Page 46)".
108
6.3.5 Timer operations
The S7-1200 supports the following timers

● The TP timer generates a pulse with a preset width time.
● The TON timer sets the output (Q) to ON after a preset time delay.
● The TOF timer sets the output (Q) to ON and then resets the output to OFF after a preset
time delay.
● The TONR timer sets the output (Q) to ON after a preset time delay. The elapsed time is
accumulated over multiple timing periods until the reset (R) input is used to reset the
elapsed time.
● The PT (preset timer) coil loads a new preset time value in the specified timer.
● The RT (reset timer) coil resets the specified timer.
For LAD and FBD, these instructions are available as either a box instruction or an output
coil.
The number of timers that you can use in your user program is limited only by the amount of
memory in the CPU. Each timer uses 16 bytes of memory.
Each timer uses a structure stored in a data block to maintain timer data. For SCL, you must
first create the DB for the individual timer instruction before you can reference it. For LAD
and FBD, STEP 7 automatically creates the DB when you insert the instruction.
When you create the DB, you can also use a multi-instance DB. Because the timer data is
contained in a single DB and does not require a separate DB for each timer, the processing
time for handling the timers is reduced. There is no interaction between the timer data
structures in the shared multi-instance DB.
Table 6- 9 TP (Pulse timer)
LAD / FBD SCL Timing diagram

"timer_db".TP(
IN:=_bool_in_,
PT:=_time_in_,
Q=>_bool_out_,
ET=>_time_out_);
109
Table 6- 10 TON (ON-delay timer)

"timer_db".TON(
IN:=_bool_in_,
PT:=_time_in_,
Q=>_bool_out_,
ET=>_time_out_);
Table 6- 11 TOF (OFF-delay timer)

"timer_db".TOF(
IN:=_bool_in_,
PT:=_time_in_,
Q=>_bool_out_,
ET=>_time_out_);
Table 6- 12 TONR (ON-delay Retentive timer)

"timer_db".TONR(
IN:=_bool_in_,
R:=_bool_in_,
PT:=_time_in_,
Q=>_bool_out_,
ET=>_time_out_);
110
Table 6- 13 Preset timer -(PT)- and Reset timer -(RT)- coil instructions

PRESET_TIMER( Use the Preset timer -(PT)- and Reset timer -(RT)- coil instruc-
PT:=_time_in_, tions with either box or coil timers. These coil instructions can be
placed in a mid-line position. The coil output power flow status is
TIMER:=_iec_timer_in_) always the same as the coil input status.
; • When the -(PT)- coil is activated, the PRESET time element
of the specified IEC_Timer DB data is set to the
"PRESET_Tag" time duration.
RESET_TIMER(
_iec_timer_in_); • When the -(RT)- coil is activated, the ELAPSED time element
of the specified IEC_Timer DB data is reset to 0.
Table 6- 14 Data types for the parameters
Parameter Data type Description

Box: IN Bool TP, TON, and TONR:
Coil: Power flow Box: 0=Disable timer, 1=Enable timer
Coil: No power flow=Disable timer, Power flow=Enable timer
TOF:
Box: 0=Enable timer, 1=Disable timer
Coil: No power flow=Enable timer, Power flow=Disable timer
R Bool TONR box only:
0=No reset
1= Reset elapsed time and Q bit to 0
Box: PT Time Timer box or coil: Preset time input
Coil: "PRESET_Tag"
Box: Q Bool Timer box: Q box output or Q bit in the timer DB data
Coil: DBdata.Q Timer coil: you can only address the Q bit in the timer DB data
Box: ET Time Timer box: ET (elapsed time) box output or ET time value in the timer DB
Coil: DBdata.ET data
Timer coil: you can only address the ET time value in the timer DB data.
111
Table 6- 15 Effect of value changes in the PT and IN parameters
Timer Changes in the PT and IN box parameters and the corresponding coil parameters
TP • Changing PT has no effect while the timer runs.
• Changing IN has no effect while the timer runs.
TON • Changing PT has no effect while the timer runs.
• Changing IN to FALSE, while the timer runs, resets and stops the timer.
TOF • Changing PT has no effect while the timer runs.
• Changing IN to TRUE, while the timer runs, resets and stops the timer.
TONR • Changing PT has no effect while the timer runs, but has an effect when the timer resumes.
• Changing IN to FALSE, while the timer runs, stops the timer but does not reset the timer. Changing IN
back to TRUE will cause the timer to start timing from the accumulated time value.
PT (preset time) and ET (elapsed time) values are stored in the specified IEC_TIMER DB
data as signed double integers that represent milliseconds of time. TIME data uses the T#
identifier and can be entered as a simple time unit (T#200ms or 200) and as compound time
units like T#2s_200ms.
Table 6- 16 Size and range of the TIME data type
Data type Size Valid number ranges1

TIME 32 bits, stored as T#-24d_20h_31m_23s_648ms to T#24d_20h_31m_23s_647ms
DInt data Stored as -2,147,483,648 ms to +2,147,483,647 ms
1 The negative range of the TIME data type shown above cannot be used with the timer instructions. Negative PT (preset
time) values are set to zero when the timer instruction is executed. ET (elapsed time) is always a positive value.
112
Timer programming
The following consequences of timer operation should be considered when planning and
creating your user program:
● You can have multiple updates of a timer in the same scan. The timer is updated each
time the timer instruction (TP, TON, TOF, TONR) is executed and each time the
ELAPSED or Q member of the timer structure is used as a parameter of another
executed instruction. This is an advantage if you want the latest time data (essentially an
immediate read of the timer). However, if you desire to have consistent values throughout
a program scan, then place your timer instruction prior to all other instructions that need
these values, and use tags from the Q and ET outputs of the timer instruction instead of
the ELAPSED and Q members of the timer DB structure.
● You can have scans during which no update of a timer occurs. It is possible to start your
timer in a function, and then cease to call that function again for one or more scans. If no
other instructions are executed which reference the ELAPSED or Q members of the timer
structure, then the timer will not be updated. A new update will not occur until either the
timer instruction is executed again or some other instruction is executed using ELAPSED
or Q from the timer structure as a parameter.
● Although not typical, you can assign the same DB timer structure to multiple timer
instructions. In general, to avoid unexpected interaction, you should only use one timer
instruction (TP, TON, TOF, TONR) per DB timer structure.
Self-resetting timers are useful to trigger actions that need to occur periodically. Typically,
self-resetting timers are created by placing a normally-closed contact which references the
timer bit in front of the timer instruction. This timer network is typically located above one or
more dependent networks that use the timer bit to trigger actions. When the timer expires
(elapsed time reaches preset value), the timer bit is ON for one scan, allowing the dependent
network logic controlled by the timer bit to execute. Upon the next execution of the timer
network, the normally closed contact is OFF, thus resetting the timer and clearing the timer
bit. The next scan, the normally closed contact is ON, thus restarting the timer. When
creating self-resetting timers such as this, do not use the "Q" member of the timer DB
structure as the parameter for the normally-closed contact in front of the timer instruction.
Instead, use the tag connected to the "Q" output of the timer instruction for this purpose. The
reason to avoid accessing the Q member of the timer DB structure is because this causes an
update to the timer and if the timer is updated due to the normally closed contact, then the
contact will reset the timer instruction immediately. The Q output of the timer instruction will
not be ON for the one scan and the dependent networks will not execute.
The -(TP)-, -(TON)-, -(TOF)-, and -(TONR)- timer coils must be the last instruction in a
network. As shown in the timer example, a contact instruction in a subsequent network
evaluates the Q bit in a timer coil's IEC_Timer DB data. Likewise, you must address the
ELAPSED element in the IEC_timer DB data if you want to use the elapsed time value in
your program.
The pulse timer is started on a 0 to 1 transition of the Tag_Input bit value. The timer runs for
the time specified by Tag_Time time value.
113
As long as the timer runs, the state of DB1.MyIEC_Timer.Q=1 and the Tag_Output value=1.
When the Tag_Time value has elapsed, then DB1.MyIEC_Timer.Q=0 and the Tag_Output
value=0.
6.3.6 Counter operations

You use the counter instructions to count internal program events and external process
events.
● The "count up" counter (CTU) counts up by 1 when the value of the input parameter CU
changes from 0 to 1.
● The "count down" counter (CTD) counts down by 1 when the value of input parameter CD
changes from 0 to 1.
● The "count up and down" counter (CTUD) counts up or down by 1 on the 0 to 1 transition
of the count up (CU) or count down (CD) inputs.
S7-1200 also provides high-speed counters (Page 129) (HSC) for counting events that occur
faster than the OB execution rate.
The CU, CD, and CTUD instructions use software counters whose maximum counting rate is
limited by the execution rate of the OB they are placed in.
Note
If the events to be counted occur within the execution rate of the OB, use CTU, CTD, or
CTUD counter instructions. If the events occur faster than the OB execution rate, then use
the HSC.
Each counter uses a structure stored in a data block to maintain counter data. For SCL, you
must first create the DB for the individual counter instruction before you can reference it. For
LAD and FBD, STEP 7 automatically creates the DB when you insert the instruction.
114
The number of counters that you can use in your user program is limited only by the amount
of memory in the CPU. Individual counters use 3 bytes (for SInt or USInt), 6 bytes (for Int or
UInt), or 12 bytes (for DInt or UDInt).
Table 6- 17 CTU (count up) counter
LAD / FBD SCL Operation

"ctu_db".CTU(
CU:=_bool_in,
R:=_bool_in,
PV:=_in_,
Q=>_bool_out,
CV=>_out_);
The timing diagram shows the operation of a CTU counter with an unsigned integer count
value (where PV = 3).
● If the value of parameter CV (current count value) is greater than or equal to the value of
parameter PV (preset count value), then the counter output parameter Q = 1.
● If the value of the reset parameter R changes from 0 to 1, then CV is reset to 0.
Table 6- 18 CTD (count down) counter

"ctd_db".CTD(
CD:=_bool_in,
LD:=_bool_in,
PV:=_in_,
Q=>_bool_out,
CV=>_out_);
The timing diagram shows the operation of a CTD counter with an unsigned integer count
● If the value of parameter CV (current count value) is equal to or less than 0, the counter
output parameter Q = 1.
● If the value of parameter LD changes from 0 to 1, the value at parameter PV (preset
value) is loaded to the counter as the new CV.
115
Table 6- 19 CTUD (count up and down) counter

"ctud_db".CTUD(
CU:=_bool_in,
CD:=_bool_in,
R:=_bool_in,
LD:=_bool_in,
PV:=_in_,
QU=>_bool_out,
QD=>_bool_out,
CV=>_out_);
The timing diagram shows the operation of a CTUD counter with an unsigned integer count
● If the value of parameter CV (current count value) is equal to or greater than the value of
parameter PV (preset value), then the counter output parameter QU = 1.
● If the value of parameter CV is less than or equal to zero, then the counter output
parameter QD = 1.
● If the value of parameter LD changes from 0 to 1, then the value at parameter PV is
loaded to the counter as the new CV.
● If the value of the reset parameter R changes from 0 to 1, CV is reset to 0.
116
6.3.7 Pulse-width modulation (PWM)

The CTRL_PWM instruction is available in the Pulse group of the Extended instructions.
Table 6- 20 CTRL_PWM instruction
LAD / FBD SCL Desciption

"ctrl_pwm_db"( The CTRL_PWM instruction provides a fixed cycle
PWM:=W#16#0, time output with a variable duty cycle. The PWM
ENABLE:=False, output runs continuously after being started at the
BUSY=>_bool_out_, specified frequency (cycle time). The pulse width is
STATUS=>_word_out_); varied as required to affect the desired control.
When you insert the CTRL_PWM instruction in your code block, you create the DB for the
instruction from the "Call options" dialog. The CTRL_PWM instruction stores the parameter
information in the DB and controls the data block parameters.
The pulse width will be set to the initial value configured in device configuration when the
CPU first enters the RUN mode. You write values to the word-length output (Q) address that
was specified in device configuration ("Output addresses" / "Start address") as needed to
change the pulse width. Use an instruction (such as Move, Convert, Math, or PID) to write
the specified pulse width to the appropriate word-length output (Q). You must use the valid
range for the output value (percent, thousandths, ten-thousandths, or S7 analog format).
Duty cycle can be expressed, for example, as a per-

centage of the cycle time or as a relative quantity (such
as 0 to 1000 or 0 to 10000). The pulse width can vary
from 0 (no pulse, always off) to full scale (no pulse,
always on).
① Cycle time
② Pulse width time
The PWM output can be varied from 0 to full scale, providing a digital output that in many
ways is the same as an analog output. For example, the PWM output can be used to control
the speed of a motor from stop to full speed, or it can be used to control position of a valve
from closed to fully opened.
117
6.4 Easy to create data logs

Your control program can use the Data log instructions to store run-time data values in
persistent log files. The data log files are stored in flash memory (CPU or memory card). Log
file data is stored in standard CSV (Comma Separated Value) format. The data records are
organized as a circular log file of a pre-determined size.
The Data log instructions are used in your program to create, open, write a record, and close
the log files. You decide which program values will be logged by creating a data buffer that
defines a single log record. Your data buffer is used as temporary storage for a new log
record. New current values must be programmatically moved into the buffer during run-time.
When all of the current data values are updated, you can execute the DataLogWrite
instruction to transfer data from the buffer to a data log record.
You can open, edit, save, rename, and delete data log files from the File Browser page of
the Web Server. You must have read privileges to view the file browser and you must have
modify privileges to edit, delete, or rename data log files.
Use the DataLog instructions to programmatically store run-time process data in flash
memory of the CPU. The data records are organized as a circular log file of a pre-
determined size. New records are appended to the data log file. After the data log file has
stored the maximum number of records, the next record written overwrites the oldest record.
To prevent overwriting any data records, use the DataLogNewFile instruction. New data
records are stored in the new data log file, while the old data log file remains in the CPU.
Table 6- 21 DataLogWrite instruction
LAD/FBD SCL Description

"DataLogWrite_DB"( DataLogWrite writes a data record into the specified data log.
req:=FALSE, The pre-existing target data log must be open.
done=>_bool_out_, You must programmatically load the record buffer with current
busy=>_bool_out_, run-time data values and then execute the DataLogWrite instruc-
error=>_bool_out_, tion to move new record data from the buffer to the data log.
status=>_word_out_, If there is a power failure during an incomplete DataLogWrite
ID:=_dword_inout_); operation, then the data record being transferred to the data log
could be lost.
118
Table 6- 22 DataLogCreate and DataLogNewFile instructions

"DataLogCreate_DB"( DataLogCreate1 creates and initializes a
req:=FALSE, data log file stored in the \DataLogs directo-
records:=1, ry of the CPU. The data log file is created
format:=1, with a pre-determined fixed size.
timestamp:=1,
done=>_bool_out_,
busy=>_bool_out_,
error=>_bool_out_,
status=>_word_out_,
name:=_variant_in_,
ID:=_dword_inout_,
header:=_variant_inout_,
data:=_variant_inout_);
"DataLogNewFile_DB"( DataLogNewFile1 allows your program to
req:=FALSE, create a new data log file based upon an
records:=1, existing data log file. A new data log will be
done=>_bool_out_, created and implicitly opened based with
busy=>_bool_out_, the specified NAME. The header record will
error=>_bool_out_, be duplicated from the original data log
along with the original data log properties.
status=>_word_out_,
The original data log file will be implicitly
name=:_variant_in_,
closed.
ID:=_dword_inout_);
1 The DataLogCreate and DataLogNewFile operations extend over many program scan cycles. The actual time required
for the log file creation depends on the record structure and number of records. Before the new data log can be used for
other data log operations, your program logic must monitor the transition of the DONE bit to TRUE.
Table 6- 23 DataLogOpen and DataLogClose instructions

"DataLogOpen_DB"( The DataLogOpen instruction opens a pre-existing data log
req:=FALSE, file. A data log must be opened before you can write new rec-
mode:=0, ords to the log. Data logs can be opened and closed individu-
name:=_variant_in_, ally. Eight data logs can be open at the same time.
done=>_bool_out_,
busy=>_bool_out_,
error=>_bool_out_,
status=>_word_out_,
ID:=_dword_inout_);
"DataLogClose_DB"( The DataLogClose instruction closes an open data log file.
req:=FALSE, DataLogWrite operations to a closed data log result in an error.
done=>_bool_out_, No write operations are allowed to this data log until another
busy=>_bool_out_, DataLogOpen operation is performed.
error=>_bool_out_, A transition to STOP mode closes all open data log files.
status=>_word_out_,
ID:=_dword_inout_);
119
6.5 Easy to monitor and test your user program
6.5.1 Watch tables and force tables

You use "watch tables" for monitoring and modifying the values of a user program being
executed by the online CPU. You can create and save different watch tables in your project
to support a variety of test environments. This allows you to reproduce tests during
commissioning or for service and maintenance purposes.
With a watch table, you can monitor and interact with the CPU as it executes the user
program. You can display or change values not only for the tags of the code blocks and data
blocks, but also for the memory areas of the CPU, including the inputs and outputs (I and Q),
peripheral inputs (I:P), bit memory (M), and data blocks (DB).
With the watch table, you can enable the physical outputs (Q:P) of a CPU in STOP mode.
For example, you can assign specific values to the outputs when testing the wiring for the
CPU.
STEP 7 also provides a force table for "forcing" a tag to a specific value. For more
information about forcing, see the section on forcing values in the CPU (Page 340) in the
"Online and Diagnostics" chapter.
Note
The force values are stored in the CPU and not in the watch table.
You cannot force an input (or "I" address). However, you can force a peripheral input. To
force a peripheral input, append a ":P" to the address (for example: "On:P").
STEP 7 also provides the capability of tracing and recording program variables based on
trigger conditions (Page 353).
120
6.5.2 Cross reference to show usage

The Inspector window displays cross-reference information about how a selected object is
used throughout the complete project, such as the user program, the CPU and any HMI
devices. The "Cross-reference" tab displays the instances where a selected object is being
used and the other objects using it. The Inspector window also includes blocks which are
only available online in the cross-references. To display the cross-references, select the
"Show cross-references" command. (In the Project view, find the cross references in the
"Tools" menu.)
Note
You do not have to close the editor to see the cross-reference information.
You can sort the entries in the cross-reference. The cross-reference list provides an
overview of the use of memory addresses and tags within the user program.
● When creating and changing a program, you retain an overview of the operands, tags
and block calls you have used.
● From the cross-references, you can jump directly to the point of use of operands and
tags.
● During a program test or when troubleshooting, you are notified about which memory
location is being processed by which command in which block, which tag is being used in
which screen, and which block is called by which other block.
Table 6- 24 Elements of the cross reference
Column Description
Object Name of the object that uses the lower-level objects or that is being used by the
lower-level objects
Number Number of uses
Point of use Each location of use, for example, network
Property Special properties of referenced objects, for example, the tag names in multi-
instance declarations
as Shows additional information about the object, such as whether an instance DB is
used as template or as a multiple instance
Access Type of access, whether access to the operand is read access (R) and/or write
access (W)
Address Address of the operand
Type Information on the type and language used to create the object
Path Path of object in project tree
Depending on the installed products, the cross-reference table displays additional or different
columns.
121
6.5.3 Call structure to examine the calling hierarchy

The call structure describes the call hierarchy of the block within your user program. It
provides an overview of the blocks used, calls to other blocks, the relationships between
blocks, the data requirements for each block, and the status of the blocks. You can open the
program editor and edit blocks from the call structure.
Displaying the call structure provides you with a list of the blocks used in the user program.
STEP 7 highlights the first level of the call structure and displays any blocks that are not
called by any other block in the program. The first level of the call structure displays the OBs
and any FCs, FBs, and DBs that are not called by an OB. If a code block calls another block,
the called block is shown as an indentation under the calling block. The call structure only
displays those blocks that are called by a code block.
You can selectively display only the blocks causing conflicts within the call structure. The
following conditions cause conflicts:
● Blocks that execute any calls with older or newer code time stamps
● Blocks that call a block with modified interface
● Blocks that use a tag with modified address and/or data type
● Blocks that are called neither directly nor indirectly by an OB
● Blocks that call a non-existent or missing block
You can group several block calls and data blocks as a group. You use a drop-down list to
see the links to the various call locations.
You can also perform a consistency check to show time stamp conflicts. Changing the time
stamp of a block during or after the program is generated can lead to time stamp conflicts,
which in turn cause inconsistencies among the blocks that are calling and being called.
● Most time stamp and interface conflicts can be corrected by recompiling the code blocks.
● If compilation fails to clear up inconsistencies, use the link in the "Details" column to go to
the source of the problem in the program editor. You can then manually eliminate any
inconsistencies.
● Any blocks marked in red must be recompiled.
122
6.5.4 Diagnostic instructions to monitor the hardware
6.5.4.1 Reading the states of the LEDs on the CPU

The LED instruction allows your user program to determine the state of the LEDs on the
CPU. You can use this information for programming a tag for your HMI device.
Table 6- 25 LED instruction

ret_val := LED( RET_VAL returns the following LED states for the CPU
laddr:=_word_in_,
• RUN/STOP: green or yellow
LED:=_uint_in_);
• Error: red
• MAINT (maintenance): yellow
• Link: green
• Tx/Rx (transmit/receive): yellow
123
6.5.4.2 Instructions for reading the diagnostic status of the devices

STEP 7 also includes instructions for reading the status information that is provided by the
hardware devices on your network.
Table 6- 26 Diagnostic instructions

ret_val := GET_DIAG( The GET_DIAG instruction reads the diag-
mode:=_uint_in_, nostic information from a specified hardware
laddr:=_word_in_, device.
cnt_diag=>_uint_out_,
diag:=_variant_inout_,
de-
tail:=_variant_inout_);
ret_val := DeviceStates( The DeviceStates instruction reads the status
laddr:=_word_in_, of PROFINET or PROFIBUS devices.
mode:=_uint_in_,
state:=_variant_inout_);
ret_val := ModuleStates( The ModuleStates instruction reads the sta-

laddr:=_word_in_, tus of PROFINET or PROFIBUS modules.
mode:=_uint_in,
state:=_variant_inout);
"GET_IM_DATA_DB"(LADDR:=16#0, Use the Get_IM_Data instruction to check the

IM_TYPE:=0, identification and maintenance (I&M) data for
DONE=>_bool_out_, the specified module or sub-module.
BUSY=>_bool_out_,
ERROR=>_bool_out_,
STATUS=>_word_out_,
DATA:=_variant_inout_);
124
6.6 High-speed counter (HSC)

Use the high-speed counters (HSC) for counting events that occur faster than the OB
execution rate. The Counting instructions are in the Technology section of the instruction
tree. The CTRL_HSC instruction controls the operation of the HSC.
Note
If the events to be counted occur within the execution rate of the OB, use CTU, CTD, or
CTUD counter instructions. If the events occur faster than the OB execution rate, then use
the HSC.
You configure the parameters for each HSC in the device configuration for the CPU:
counting mode, I/O connections, interrupt assignment, and operation as a high-speed
counter or as a device to measure pulse frequency or period.
Table 6- 27 CTRL_HSC instruction

"counter_name"( Each CTRL_HSC instruction uses a structure stored
HSC:=W#16#0, in a data block to maintain counter data.
DIR:=FALSE, For SCL, you must first create the DB for the individ-
CV:=FALSE, ual counter instruction before you can reference it.
RV:=FALSE, For LAD and FBD, STEP 7 automatically creates the
Period:=FALSE, DB when you insert the instruction.
New_DIR:=0,
New_CV:=L#0,
New_RV:=L#0,
New_Period:=0,
Busy=>_bool_out_,
Status=>_word_out_);
The CTRL_HSC instruction is typically placed in a hardware interrupt OB that is executed

when the counter hardware interrupt event is triggered. For example, if a CV=RV event
triggers the counter interrupt, then a hardware interrupt OB code block executes the
CTRL_HSC instruction and can change the reference value by loading a NEW_RV value.
Note
The current count value is not available in the CTRL_HSC parameters. The process image
address that stores the current count value is assigned during the hardware configuration of
the high-speed counter. You may use program logic to directly read the count value. The
value returned to your program will be a correct count for the instant in which the counter
was read. The counter will continue to count high-speed events. Therefore, the actual count
value could change before your program completes a process using an old count value.
125
Some of the parameters for the HSC can be modified by your user program to provide
program control of the counting process:
● Set the counting direction to a NEW_DIR value
● Set the current count value to a NEW_CV value
● Set the reference value to a NEW_RV value
● Set the period value (for frequency measurement mode) to a NEW_PERIOD value
If the following Boolean flag values are set to 1 when the CTRL_HSC instruction is executed,
the corresponding NEW_xxx value is loaded to the counter. Multiple requests (more than
one flag is set at the same time) are processed in a single execution of the CTRL_HSC
instruction. Setting the following Boolean flag values to 0 results in no change.
● Setting DIR = 1 loads a NEW_DIR value.
● Setting CV = 1 loads a NEW_CV value.
● Setting RV = 1 loads a NEW_RV value
● Setting PERIOD = 1 loads a NEW_PERIOD value.
CTRL_HSC_EXT instruction (Control high-speed counter (extended)) instruction

STEP 7 and the S7-1200 CPU also support an extended high-speed counter instruction,
CTRL_HSC_EXT. This instruction allows the program to precisely measure the period of the
input pulses of a designated HSC. Refer to the S7-1200 Programmable Controller System
Manual for details.
126
6.6.1 Operation of the high-speed counter

High-speed counters (HSC) can count events that occur faster than the cyclic OB execution
rate. If the events to be counted occur slower than the execution rate of the OB, you can use
CTU, CTD, or CTUD standard counter instructions. If the events occur faster than the OB
execution rate, then use the faster HSC device. The CTRL_HSC instruction allows your
program to programmatically change some of the HSC parameters.
For example: You can use the HSC as an input for an incremental shaft encoder. The shaft
encoder provides a specified number of counts per revolution and a reset pulse that occurs
once per revolution. The clock(s) and the reset pulse from the shaft encoder provide the
inputs to the HSC.
The HSC is loaded with the first of several presets, and the outputs are activated for the time
period where the current count is less than the current preset. The HSC provides an interrupt
when the current count is equal to preset, when reset occurs, and also when there is a
direction change.
As each current-count-value-equals-preset-value interrupt event occurs, a new preset is
loaded and the next state for the outputs is set. When the reset interrupt event occurs, the
first preset and the first output states are set, and the cycle is repeated.
Since the interrupts occur at a much lower rate than the counting rate of the HSC, precise
control of high-speed operations can be implemented with relatively minor impact to the scan
cycle of the CPU. The method of interrupt attachment allows each load of a new preset to be
performed in a separate interrupt routine for easy state control. Alternatively, all interrupt
events can be processed in a single interrupt routine.
HSC input channel selection
Use the following table and ensure that the CPU and SB input channels that you connect
can support the maximum pulse rates in your process signals.
Note
CPU and SB input channels (V4 or later firmware) have configurable input filter times
Earlier firmware versions had fixed HSC input channels and fixed filter times that could not
be changed.
V4 or later versions allow you to assign input channels and filter times. The default input filter
setting of 6.4 ms may be too slow for your process signals. You must optimize the digital
input filter times for the HSC inputs for your HSC application.
127
Table 6- 28 CPU input: maximum frequency
CPU CPU Input channel 1 or 2 phase mode A/B Quadrature phase

mode
1211C Ia.0 to Ia.5 100 kHz 80 kHz
1212C Ia.0 to Ia.5 100 kHz 80 kHz
Ia.6, Ia.7 30 kHz 20 kHz
1214C and 1215C Ia.0 to Ia.5 100kHz 80kHz
Ia.6 to Ib.5 30 kHz 20 kHz
1217C Ia.0 to Ia.5 100 kHz 80 kHz
Ia.6 to Ib.1 30 kHz 20 kHz
Ib.2 to Ib.5 1 MHz 1 MHz
(.2+, .2- to .5+, .5-)
Table 6- 29 SB signal board input: maximum frequency (optional board)
SB signal board SB input channel 1 or 2 phase mode A/B Quadrature phase

mode
SB 1221, 200 kHz Ie.0 to Ie.3 200kHz 160 kHz
SB 1223, 200 kHz Ie.0, Ie.1 200kHz 160 kHz
SB 1223 Ie.0, Ie.1 30 kHz 20 kHz
Selecting the functionality for the HSC

All HSCs function the same way for the same counter mode of operation. Counter mode,
direction control, and initial direction are assigned in the CPU device configuration for HSC
function properties.
There are four basic types of HSC:
● Single-phase counter with internal direction control
● Single-phase counter with external direction control
● Two-phase counter with 2 clock inputs
● A/B phase quadrature counter
128
You can use each HSC type with or without a reset input. When you activate the reset input
(with some restrictions, see the following table), the current value is cleared and held clear
until you deactivate the reset input.
● Frequency function: Some HSC modes allow the HSC to be configured (Type of
counting) to report the frequency instead of a current count of pulses. Three different
frequency measuring periods are available: 0.01, 0.1, or 1.0 seconds.
The frequency measuring period determines how often the HSC calculates and reports a
new frequency value. The reported frequency is an average value determined by the total
number of counts in the last measuring period. If the frequency is rapidly changing, the
reported value will be an intermediate between the highest and lowest frequency
occurring during the measuring period. The frequency is always reported in Hertz (pulses
per second) regardless of the frequency measuring period setting.
● Counter modes and inputs: The following table shows the inputs used for the clock,
direction control, and reset functions associated with the HSC.
● Period measurement function: Period measurement is provided over the configured
measurement interval (10ms, 100ms, or 1000ms). The HSC_Period SDT returns period
measurements and provides the period measurements as two values: ElapsedTime and
EdgeCount. HSC inputs ID1000 to ID1020 are not affected by period measurements:
– ElapsedTime is an unsigned double integer value in nanoseconds representing the
time from the first counting event to the last counting event in the measurement
interval. If the EdgeCount = 0, then the ElapsedTime is the time since the last
counting event in a prior interval. ElapsedTime has a range from 0 to 4,294,967,280
ns (0x0000 0000 to 0xFFFF FFF0). Overflow is indicated by the value 4,294,967,295
(0xFFFF FFFF). The values from 0xFFFF FFF1 to 0xFFFF FFFE are reserved.
– EdgeCount is an unsigned double integer value representing the number of counting
events in the measurement interval.
The same input cannot be used for two different functions, but any input not being used
by the present mode of its HSC can be used for another purpose. For example, if HSC1
is in a mode that uses two built-in inputs but does not use the third external reset input
(default assignment at I0.3), then I0.3 can be used for edge interrupts or for HSC 2.
Table 6- 30 Counting modes for HSC
Type Input 1 Input 2 Input 3 Function

Single-phase counter with Clock - - Count or frequency
internal direction control Reset Count
Single-phase counter with Clock Direction - Count or frequency
external direction control Reset Count
Two-phase counter with 2 Clock up Clock down - Count or frequency
clock inputs Reset Count
A/B-phase quadrature coun- Phase A Phase B - Count or frequency
ter Reset1 Count
1 For an encoder: Phase Z, Home
129
Input addresses for the HSC

When you configure the CPU, you have the option to enable and configure the "Hardware
inputs" for each HSC.
All HSC inputs must be connected to terminals on the CPU module or optional signal board
that plugs into the front of the CPU module.
Note
As shown in the following tables, the default assignments for the optional signals for the
different HSCs overlap. For example, the optional external reset for HSC 1 uses the same
input as one of the inputs for HSC 2. For
For V4 CPUs or later, you can reassign the HSC inputs during the CPU configuration. You
do not have to use the default input assignments.
Always ensure that you have configured your HSCs so that any one input is not being used
by two HSCs.
The following tables show the HSC input default assignments for the on-board I/O of CPUs
and an optional SB. (If the SB model selected has only 2 inputs, only 4.0 and 4.1 inputs are
available.)
HSC input table definitions
● Single-phase: C is Clock input, [d] is direction input (optional), and [R] is external reset
input (optional)
(Reset is available only for "Counting" mode.)
● Two-phase: CU is Clock Up input, CD is Clock Down input, and [R] is external reset
input.(optional)
(Reset is available only for "Counting" mode.)
● AB-phase quadrature: A is the Clock A input, B is the Clock B input, and [R] is external
reset input (optional). (Reset is available only for "Counting" mode.)
Table 6- 31 CPU 1211C: HSC default address assignments
HSC CPU on-board input Optional SB input (default

counter mode (default 0.x) 4.x) 1
0 1 2 3 4 5 0 1 2 3
HSC 1 1-phase C [d] [R] C [d] [R]
2-phase CU CD [R] CU CD [R]
AB-phase A B [R] A B [R]
HSC 2 1-phase [R] C [d] [R] C [d]
2-phase [R] CU CD [R] CU CD
AB-phase [R] A B [R] A B
HSC 3 1-phase C [d] C [d] R]
2-phase
AB-phase
HSC4 1-phase C [d] C [d] R]
2-phase CU CD
130
HSC CPU on-board input Optional SB input (default

counter mode (default 0.x) 4.x) 1
0 1 2 3 4 5 0 1 2 3
AB-phase A B
HSC 5 1-phase C [d] [R]
2-phase CU CD [R]
AB-phase A B [R]
HSC 6 1-phase [R] C [d]
2-phase [R] CU CD
AB-phase [R] A B
1 An SB with only 2 digital inputs provides only the 4.0 and 4.1 inputs.
Table 6- 32 CPU 1212C: HSC default address assignments
HSC counter mode CPU on-board input Optional

(default 0.x) SB input
(default 4.x) 1
0 1 2 3 4 5 6 7 0 1 2 3
2-phase CU CD [R] CU CD [R]
AB-phase A B [R] A B [R]
HSC 2 1-phase [R] C [d] [R] C [d]
2-phase [R] CU CD [R] CU CD
AB-phase [R] A B [R] A B
2-phase CU CD [R]
AB-phase A B [R]
HSC 4 1-phase [R] C [d] C [d] [R]
2-phase [R] CU CD
AB-phase [R] A B
2-phase CU CD [R]
AB-phase A B [R]
2-phase [R] CU CD
AB-phase [R] A B
131
Table 6- 33 CPU 1214C, CPU 1215C, and CPU1217C:

HSC default address assignments
(on-board inputs only, see next table for optional SB addresses)
HSC counter mode Digital input byte 0 Digital input byte 1

(default: 0.x) (default: 1.x)
0 1 2 3 4 5 6 7 0 1 2 3 4 5
2-phase CU CD [R]
AB-phase A B [R]
2-phase [R] CU CD
AB-phase [R] A B
2-phase CU CD [R]
AB-phase A B [R]
2-phase [R] CU CD
AB-phase [R] A B
2-phase CU CD [R]
AB-phase A B [R]
2-phase CU CD [R]
AB-phase A B [R]
Table 6- 34 Optional SB in CPUs in above table: HSC default address assignments
HSC Optional SB inputs (default: 4.x) 1

0 1 2 3
2-phase CU CD [R]
AB-phase A B [R]
2-phase [R] CU CD
AB-phase [R] A B
2-phase CU CD [R]
AB-phase A B [R]
2-phase [R] CU CD
AB-phase [R] A B
132
Note
The digital I/O points used by high-speed counter devices are assigned during CPU device
configuration. When digital I/O point addresses are assigned to HSC devices, the values of
the assigned I/O point addresses cannot be modified by the force function in a watch table.
6.6.2 Configuration of the HSC
You may configure up to 6 high-speed counters. Edit

the CPU device configuration and assign the HSC
properties of each individual HSC.
Enable an HSC by selecting the "Enable" option for
that HSC
Use the CTRL_HSC and/or CTRL_HSC_EXT instruc-
tions in your user program to control the operation of
the HSC.
WARNING
Risks with changes to filter time setting for digital input channels
If the filter time for a digital input channel is changed from a previous setting, a new "0"
level input value might need to be presented for up to 20.0 ms accumulated duration before
the filter becomes fully responsive to new inputs. During this time, short "0" pulse events of
duration less than 20.0 ms may not be detected or counted.
This changing of filter times can result in unexpected machine or process operation, which
can cause death or serious injury to personnel, and/or damage to equipment.
To ensure that a new filter time goes immediately into effect, power cycle the CPU.
133
After enabling the HSC, configure the other parameters, such as counter function, initial
values, reset options and interrupt events.
For additional information about configuring the HSC, refer to the section on configuring the
CPU (Page 80).
134
Easy to communicate between devices 7
For a direct connection between the pro-
gramming device and a CPU:
• The project must include the CPU.
• The programming device is not part of the
project, but must be running STEP 7.
For a direct connection between an HMI

panel and a CPU, the project must include
both the CPU and the HMI.
For a direct connection between two CPUs:

• The project must include both CPUs.
• You must configure a network connection
between the two CPUs.
The S7-1200 CPU is a PROFINET IO controller and communicates with STEP 7 on a

programming device, with HMI devices, and with other CPUs or non-Siemens devices. An
Ethernet switch is not required for a direct connection between a programming device or HMI
and a CPU. An Ethernet switch is required for a network with more than two CPUs or HMI
devices.
By adding a PROFIBUS CM, your CPU can also function as either a master or a slave on a
PROFIBUS network.
Other communication interfaces (CM, CP or CB) support a variety of protocols, such as
Point-to-Point (PTP), Modbus, USS, GPRS (modem), security CP, and remote control CP.
135
Easy to communicate between devices
7.1 Creating a network connection
7.1 Creating a network connection

Use the "Network view" of Device configuration to create the network connections between
the devices in your project. After creating the network connection, use the "Properties" tab of
the inspector window to configure the parameters of the network.
Table 7- 1 Creating a network connection
Action Result
Select "Network view" to display the
devices to be connected.
Select the port on one device and

drag the connection to the port on
the second device.
Release the mouse button to create

the network connection.
136
7.2 Communication options

The S7-1200 offers several types of communication between CPUs and programming
devices, HMIs, and other CPUs.
WARNING
If an attacker can physically access your networks, the attacker can possibly read and write
data.
The TIA Portal, the CPU, and HMIs (except HMIs using GET/PUT) use secure
communication that protects against replay and "man-in-the-middle" attacks. Once
communication is enabled, the exchange of signed messages takes place in clear text
which allows an attacker to read data, but protects against unauthorized writing of data.
The TIA Portal, not the communication process, encrypts the data of know-how protected
blocks.
All other forms of communication (I/O exchange through PROFIBUS, PROFINET, AS-i, or
other I/O bus, GET/PUT, T-Block, and communication modules (CM)) have no security
features. You must protect these forms of communication by limiting physical access. If an
attacker can physically access your networks utilizing these forms of communication, the
attacker can possibly read and write data.
For security information and recommendations, please see our "Operational Guidelines for
Industrial Security" (http://www.industry.siemens.com/topics/global/en/industrial-
security/Documents/operational_guidelines_industrial_security_en.pdf) on the Siemens
Service and Support site.
PROFINET
PROFINET is used for exchanging data through the user program with other
communications partners through Ethernet:
● In the S7-1200, PROFINET supports 16 IO devices with a maximum of 256 submodules,
and PROFIBUS allows 3 independent PROFIBUS DP Masters, supporting 32 slaves per
DP master, with a maximum of 512 modules per DP master.
● S7 communication
● User Datagram Protocol (UDP) protocol
● ISO on TCP (RFC 1006)
● Transport Control Protocol (TCP)
PROFINET IO controller
As an IO controller using PROFINET IO, the CPU communicates with up to 16 PN devices
on the local PN network or through a PN/PN coupler (link). Refer to PROFIBUS and
PROFINET International, PI (www.us.profinet.com) for more information.
137
PROFIBUS
PROFIBUS is used for exchanging data through the user program with other
communications partners through the PROFIBUS network:
● With CM 1242-5, the CPU operates as a PROFIBUS DP slave.
● With CM 1243-5, the CPU operates as a PROFIBUS DP master class1.
● PROFIBUS DP Slaves, PROFIBUS DP Masters, and AS-i (the 3 left-side communication
modules) and PROFINET are separate communications networks that do not limit each
other.
AS-i
The S7-1200 CM 1243-2 AS-i Master allows the attachment of an AS-i network to an S7-
1200 CPU.
CPU-to-CPU S7 communication
You can create a communication connection to a partner station and use the GET and PUT
instructions to communicate with S7 CPUs.
TeleService communication
In TeleService via GPRS, an engineering station on which STEP 7 is installed communicates
via the GSM network and the Internet with a SIMATIC S7-1200 station with a CP 1242-7.
The connection runs via a telecontrol server that serves as an intermediary and is connected
to the Internet.
IO-Link
The S7-1200 SM 1278 4xIO-Link Master enables IO-Link devices to connect to an S7-1200
CPU.
138
7.3 V4.1 asynchronous communication connections
Overview of communication services

The CPU supports the following communication services:
Communication ser- Functionality Using PROFIBUS DP Using

vice CM 1243-5 CM 1242-5 Ethernet
DP master DP slave
module module
PG communication Commissioning, testing, diagnos- Yes No Yes
tics
HMI communication Operator control and monitoring Yes No Yes
S7 communication Data exchange using configured Yes No Yes
connections
Routing of PG func- For example, testing and diagnos- No No No
tions tics beyond network boundaries
PROFIBUS DP Data exchange between master Yes Yes No
and slave
PROFINET IO Data exchange between I/O con- No No Yes
trollers and I/O devices
Web server Diagnostics No No Yes
SNMP Standard protocol for network No No Yes
(Simple Network Man- diagnostics and parameterization
agement Protocol)
Open communication Data exchange over Industrial No No Yes
over TCP/IP Ethernet with TCP/IP protocol (with
loadable FBs)
over ISO on TCP Ethernet with ISO on TCP protocol
(with loadable FBs)
over UDP Ethernet with UDP protocol (with
loadable FBs)
139
Available connections
The CPU supports the following number of maximum simultaneous, asynchronous
communication connections for PROFINET and PROFIBUS. The maximum number of
connection resources allocated to each category are fixed; you cannot change these values.
However, you can configure the 6 "Free available connections" to increase the number of
any category as required by your application.
Based upon the allocated connection resources, the following number of connections per
device are available:
Programming Human Machine GET/PUT Open User Web browser

terminal (PG) Interface (HMI) client/server Communications
Maximum 3 12 8 8 30
number of (guaranteed to (guaranteed to (guaranteed to
connection support support support
resources 1 PG device) 4 HMI devices) 3 web browsers)
For an example, a PG has 3 available connection resources. Depending on the current PG

functions in use, the PG might actually use 1, 2, or 3 of its available connection resources. In
the S7-1200, you are always guaranteed at least 1 PG; however, no more than 1 PG is
allowed.
Another example is the number of HMIs, as shown in the figure below. HMIs have 12
available connection resources. Depending on what HMI type or model that you have and
the HMI functions that you use, each HMI might actually use 1, 2, or 3 of its available
connection resources. Given the number of available connection resources being used, it
may be possible to use more than 4 HMIs at one time. However, you are always guaranteed
at least 4 HMIs. An HMI can use its available connection resources (1 each for a total of 3)
for the following functions:
● Reading
● Writing
● Alarming plus diagnostics
Example HMI 1 HMI 2 HMI 3 HMI 4 HMI 5 Total con-

nection
resources
available
Connection 2 2 2 3 3 12
resources
used
140
Note
Web server (HTTP) connections: The CPU provides connections for multiple web browsers.
The number of browsers that the CPU can simultaneously support depends upon how many
connections a given web browser requests/utilizes.
Note
The Open User Communications, S7 connection, HMI, programming device, and Web server
(HTTP) communication connections may utilize multiple connection resources based upon
the features currently being used.
141
7.4 PROFINET and PROFIBUS instructions
7.4 PROFINET and PROFIBUS instructions
PROFINET instructions
The TSEND_C and TRCV_C instructions make PROFINET communications simpler by
combining the functionality of the TCON and TDISCON instructions with the TSEND or
TRCV instruction.
● TSEND_C establishes a TCP or ISO on TCP communication connection to a partner
station, sends data, and can terminate the connection. After the connection is set up and
established, it is automatically maintained and monitored by the CPU. TSEND_C
combines the functions of the TCON, TDISCON and TSEND instructions into one
instruction.
● TRCV_C establishes a TCP or ISO-on-TCP communication connection to a partner CPU,
receives data, and can terminate the connection. After the connection is set up and
established, it is automatically maintained and monitored by the CPU. The TRCV_C
instruction combines the functions of the TCON, TDISCON, and TRCV instructions into
one instruction.
The TCON, TDISCON, TSEND and TRCV instructions are also supported.
Use the TUSEND and the TURCV instructions to transmit or receive data via UDP. TUSEND
and TURCV (as well as TSEND, TRCV, TCON, TDISCON) function asynchronously, which
means that the processing of the job extends over several instruction calls.
Use the IP_CONF instruction to change the IP configuration parameters from your user
program. IP_CONF works asynchronously. The execution extends over multiple calls.
PROFIBUS instructions
The DPNRM_DG (read diagnostics) instruction reads the current diagnostic data of a DP
slave in the format specified by EN 50 170 Volume 2, PROFIBUS.
Distributed I/O instructions for PROFINET, PROFIBUS and AS-i

You can use the following instructions with PROFINET, PROFIBUS, and GPRS.
● Use the RDREC (read record) and WRREC (write record) instructions to transfer a
specified data record between a component, such as a module in a central rack or a
distributed component (PROFIBUS DP or PROFINET IO).
● Use the RALRM (read alarm) instruction to read an interrupt and its information from a
DP slave or PROFINET IO device component. The information in the output parameters
contains the start information of the called OB as well as information of the interrupt
source.
● Use the DPRD_DAT (read consistent data) and DPWR_DAT (write consistent data)
instructions to transfer consistent data areas greater than 64 bytes from or to a DP
standard slave.
● For PROFIBUS only, use the DPNRM_DG instruction to read the current diagnostic data
of a DP slave in the format specified by EN 50 170 Volume 2, PROFIBUS.
142
7.5 PROFINET
7.5 PROFINET
7.5.1 Open user communication

The integrated PROFINET port of the CPU supports multiple communications standards
over an Ethernet network:
● Transport Control Protocol (TCP)
● ISO on TCP (RFC 1006)
● User Datagram Protocol (UDP)
Table 7- 2 Protocols and communication instructions for each
Protocol Usage examples Entering data in the Communication instruc- Addressing type
receive area tions
TCP CPU-to-CPU com- Ad hoc mode Only TRCV_C and Assigns port numbers to
munication TRCV (V4.1 and legacy the Local (active) and
Transport of frames instructions) Partner (passive) devic-
Data reception with TSEND_C, TRCV_C, es
specified length TCON, TDISCON,
TSEND, and
TRCV(V4.1 and legacy
instructions)
ISO on TCP CPU-to-CPU com- Ad hoc mode Only TRCV_C and Assigns TSAPs to the
munication TRCV (V4.1 and legacy Local (active) and Part-
Message fragmenta- instructions) ner (passive) devices
tion and re-assembly Protocol-controlled TSEND_C, TRCV_C,
TCON, TDISCON,
TSEND, and TRCV
(V4.1 and legacy in-
structions)
UDP CPU-to-CPU com- User Datagram Protocol TUSEND and TURCV Assigns port numbers to
munication the Local (active) and
User program com- Partner (passive) devic-
munications es, but is not a dedicat-
ed connection
S7 communication CPU-to-CPU com- Data transmission and GET and PUT Assigns TSAPs to the
munication reception with specified Local (active) and Part-
Read/write data length ner (passive) devices
from/to a CPU
PROFINET IO CPU-to-PROFINET Data transmission and Built-in Built-in
IO device communi- reception with specified
cation length
143
7.5 PROFINET
7.5.1.1 Ad hoc mode

Typically, TCP and ISO-on-TCP receive data packets of a specified length, ranging from 1 to
8192 bytes. However, the TRCV_C and TRCV communication instructions also provide an
"ad hoc" communications mode that can receive data packets of a variable length from 1 to
1472 bytes.
Note
If you store the data in an "optimized" DB (symbolic only), you can receive data only in
arrays of Byte, Char, USInt, and SInt data types.
To configure the TRCV_C or TRCV instruction for ad hoc mode, set the ADHOC instruction
input parameter.
If you do not call the TRCV_C or TRCV instruction in ad hoc mode frequently, you could
receive more than one packet in one call. For example: If you were to receive five 100-byte
packets with one call, TCP would deliver these five packets as one 500-byte packet, while
ISO-on-TCP would restructure the packets into five 100-byte packets.
7.5.1.2 Connection IDs for the Open user communication instructions

When you insert the TSEND_C, TRCV_C or TCON PROFINET instructions into your user
program, STEP 7 creates an instance DB to configure the communications channel (or
connection) between the devices. Use the "Properties" (Page 152) of the instruction to
configure the parameters for the connection. Among the parameters is the connection ID for
that connection.
● The connection ID must be unique for the CPU. Each connection that you create must
have a different DB and connection ID.
● Both the local CPU and the partner CPU can use the same connection ID number for the
same connection, but the connection ID numbers are not required to match. The
connection ID number is relevant only for the PROFINET instructions within the user
program of the individual CPU.
● You can use any number for the connection ID of the CPU. However, configuring the
connection IDs sequentially from "1" provides an easy method for tracking the number of
connections in use for a specific CPU.
Note
Each TSEND_C, TRCV_C or TCON instruction in your user program creates a new
connection. It is important to use the correct connection ID for each connection.
144
7.5 PROFINET
The following example shows the communication between two CPUs that utilize two
separate connections for sending and receiving the data.
● The TSEND_C instruction in CPU_1 links to the TRCV_C in CPU_2 over the first
connection ("connection ID 1" on both CPU_1 and CPU_2).
● The TRCV_C instruction in CPU_1 links to the TSEND_C in CPU_2 over the second
connection ("connection ID 2" on both CPU_1 and CPU_2).
① TSEND_C on CPU_1 creates a con-

nection and assigns a connection ID
to that connection (connection ID 1 for
CPU_1).
② TRCV_C on CPU_2 creates the con-
nection for CPU_2 and assigns the
connection ID (connection ID 1 for
CPU_2).
③ TRCV_C on CPU_1 creates a second
connection for CPU_1 and assigns a
different connection ID for that con-
nection (connection ID 2 for CPU_1).
④ TSEND_C on CPU_2 creates a sec-
ond connection and assigns a different
connection ID for that connection
(connection ID 2 for CPU_2).
145
7.5 PROFINET
The following example shows the communication between two CPUs that utilize 1
connection for both sending and receiving the data.
● Each CPU uses a TCON instruction to configure the connection between the two CPUs.
● The TSEND instruction in CPU_1 links to the TRCV instruction in CPU_2 by using the
connection ID ("connection ID 1") that was configured by the TCON instruction in CPU_1.
The TRCV instruction in CPU_2 links to the TSEND instruction in CPU_1 by using the
● The TSEND instruction in CPU_2 links to the TRCV instruction in CPU_1 by using the
The TRCV instruction in CPU_1 links to the TSEND instruction in CPU_2 by using the
① TCON on CPU_1 creates a connec-

tion and assigns a connection ID for
that connection on CPU_1 (ID=1).
② TCON on CPU_2 creates a connec-
tion and assigns a connection ID for
③ TSEND and TRCV on CPU_1 use the
connection ID created by the TCON
on CPU_1 (ID=1).
TSEND and TRCV on CPU_2 use the
connection ID created by the TCON
on CPU_2 (ID=1).
146
7.5 PROFINET
As shown in the following example, you can also use individual TSEND and TRCV
instruction to communication over a connection created by a TSEND_C or TRCV_C
instruction. The TSEND and TRCV instructions do not themselves create a new connection,
so must use the DB and connection ID that was created by a TSEND_C, TRCV_C or TCON
instruction.
① TSEND_C on CPU_1 creates a con-

nection and assigns a connection ID
to that connection (ID=1).
② TRCV_C on CPU_2 creates a connec-
tion and assigns the connection ID to
③ TSEND and TRCV on CPU_1 use the
connection ID created by the
TSEND_C on CPU_1 (ID=1).
TSEND and TRCV on CPU_2 use the
connection ID created by the TRCV_C
on CPU_2 (ID=1).
147
7.5 PROFINET
7.5.1.3 Parameters for the PROFINET connection

The TSEND_C, TRCV_C and TCON instructions require that connection-related parameters
be specified in order to connect to the partner device. These parameters are assigned by the
TCON_Param structure for the TCP, ISO-on-TCP, and UDP protocols. Typically, you use the
"Configuration" tab of the "Properties" of the instruction to specify these parameters. If the
"Configuration" tab is not accessible, then you must specify the TCON_Param structure
programmatically.
TCON_Param
Table 7- 3 Structure of the connection description (TCON_Param)
Byte Parameter and data type Description

0…1 block_length UInt Length: 64 bytes (fixed)
2…3 id CONN_OUC Reference to this connection: Range of values: 1 (default) to 4095.
(Word) Specify the value of this parameter for the TSEND_C, TRCV_C or
TCON instruction under ID.
4 connection_type USInt Connection type:
• 17: TCP (default)
• 18: ISO-on-TCP
• 19: UDP
5 active_est Bool ID for the type of connection:
• TCP and ISO-on-TCP:
– FALSE: Passive connection
– TRUE: Active connection (default)
• UDP: FALSE
6 local_device_id USInt ID for the local PROFINET or Industrial Ethernet interface:
1 (default)
7 local_tsap_id_len USInt Length of parameter local_tsap_id used, in bytes; possible values:
• TCP: 0 (active, default) or 2 (passive)
• ISO-on-TCP: 2 to 16
• UDP: 2
8 rem_subnet_id_len USInt This parameter is not used.
9 rem_staddr_len USInt Length of address of partner end point, in bytes:
• 0: unspecified (parameter rem_staddr is irrelevant)
• 4 (default): Valid IP address in parameter rem_staddr (only for
TCP and ISO-on-TCP)
10 rem_tsap_id_len USInt Length of parameter rem_tsap_id used, in bytes; possible values:
• TCP: 0 (passive) or 2 (active, default)
• ISO-on-TCP: 2 to 16
• UDP: 0
11 next_staddr_len USInt This parameter is not used.
148
7.5 PROFINET
Byte Parameter and data type Description

12 … 27 local_tsap_id Array [1..16] of Local address component of connection:
Byte
• TCP and ISO-on-TCP: local port no. (possible values: 1 to
49151; recommended values: 2000...5000):
– local_tsap_id[1] = high byte of port number in hexadecimal
notation;
– local_tsap_id[2] = low byte of port number in hexadecimal
notation;
– local_tsap_id[3-16] = irrelevant
• ISO-on-TCP: local TSAP-ID:
– local_tsap_id[1] = B#16#E0;
– local_tsap_id[2] = rack and slot of local end points (bits 0 to
4: slot number, bits 5 to 7: rack number);
–  local_tsap_id[3-16] = TSAP extension, optional
• UDP: This parameter is not used.
Note: Make sure that every value of local_tsap_id is unique within
the CPU.
28 … 33 rem_subnet_id Array [1..6] of This parameter is not used.
USInt
34 … 39 rem_staddr Array [1..6] of TCP and ISO-on-TCP only: IP address of the partner end point.
USInt (Not relevant for passive connections.) For example, IP address
192.168.002.003 is stored in the following elements of the array:
rem_staddr[1] = 192
rem_staddr[2] = 168
rem_staddr[3] = 002
rem_staddr[4] = 003
rem_staddr[5-6]= irrelevant
40 … 55 rem_tsap_id Array [1..16] of Partner address component of connection
Byte
• TCP: partner port number. Range: 1 to 49151; Recommended
values: 2000 to 5000):
– rem_tsap_id[1] = high byte of the port number in hexadeci-
mal notation
– rem_tsap_id[2] = low byte of the port number in hexadeci-
mal notation;
– rem_tsap_id[3-16] = irrelevant
• ISO-on-TCP: partner TSAP-ID:
– rem_tsap_id[1] = B#16#E0
– rem_tsap_id[2] = rack and slot of partner end point (bits 0
to 4: Slot number, bits 5 to 7: rack number)
– rem_tsap_id[3-16] = TSAP extension, optional
• UDP: This parameter is not used.
56 … 61 next_staddr Array [1..6] of This parameter is not used.
Byte
62 … 63 spare Word Reserved: W#16#0000
149
7.5 PROFINET
7.5.2 Configuring the Local/Partner connection path

A Local / Partner (remote) connection defines a logical assignment of two communication
partners to establish communication services. A connection defines the following:
● Communication partners involved (One active, one passive)
● Type of connection (for example, a PLC, HMI, or device connection)
● Connection path
Communication partners execute the instructions to set up and establish the communication
connection. You use parameters to specify the active and passive communication end point
partners. After the connection is set up and established, it is automatically maintained and
monitored by the CPU.
If the connection is terminated (for example, due to a line break), the active partner attempts
to re-establish the configured connection. You do not have to execute the communication
instruction again.
Connection paths
After inserting a TSEND_C, TRCV_C or TCON instruction into the user program, the
inspector window displays the properties of the connection whenever you have selected any
part of the instruction. Specify the communication parameters in the "Configuration" tab of
the "Properties" for the communication instruction.
Table 7- 4 Configuring the connection path (using the properties of the instruction)
TCP, ISO-on-TCP, and UDP Connection properties

For the TCP, ISO-on-TCP, and UDP Ethernet
protocols, use the "Properties" of the instruction
(TSEND_C, TRCV_C, or TCON) to configure the
"Local/Partner" connections.
The illustration shows the "Connection proper-
ties" of the "Configuration tab" for an ISO-on-
TCP connection.
150
7.5 PROFINET
Note
When you configure the connection properties for one CPU, STEP 7 allows you either to
select a specific connection DB in the partner CPU (if one exists), or to create the connection
DB for the partner CPU. The partner CPU must already have been created for the project
and cannot be an "unspecified" CPU.
You must still insert a TSEND_C, TRCV_C or TCON instruction into the user program of the
partner CPU. When you insert the instruction, select the connection DB that was created by
the configuration.
Table 7- 5 Configuring the connection path for S7 communication (Device configuration)
S7 communication (GET and PUT) Connection properties

For S7 communication, use the "Devices & net-
works" editor of the network to configure the
Local/Partner connections. You can click the
"Highlighted: Connection" button to access the
"Properties".
The "General" tab provides several properties:
• "General" (shown)
• "Local ID"
• "Special connection properties"
• "Address details" (shown)
Refer to "Protocols" (Page 147) in the "PROFINET" section or to "Creating an S7

connection" (Page 169) in the "S7 communication" section for more information and a list of
available communication instructions.
151
7.5 PROFINET
Table 7- 6 Parameters for the multiple CPU connection
Parameter Definition
Address Assigned IP addresses
General End point Name assigned to the partner (receiving) CPU
Interface Name assigned to the interfaces
Subnet Name assigned to the subnets
Interface type S7 communication only: Type of interface
Connection type Type of Ethernet protocol
Connection ID ID number
Connection data Local and Partner CPU data storage location
Establish active connec- Radio button to select Local or Partner CPU as the active connection
tion
Address de- End point S7 communication only: Name assigned to the partner (receiving) CPU
tails Rack/slot S7 communication only: Rack and slot location
Connection resource S7 communication only: Component of the TSAP used when configuring an
S7 connection with an S7-300 or S7-400 CPU
Port (decimal): TCP and UPD: Partner CPU port in decimal format
TSAP and Subnet ID:
1 ISO on TCP (RFC 1006) and S7 communication: Local and partner CPU
TSAPs in ASCII and hexadecimal formats
1 When configuring a connection with an S7-1200 CPU for ISO-on-TCP, use only ASCII characters in the TSAP extension
for the passive communication partners.
Transport Service Access Points (TSAPs)

Using TSAPs, ISO on TCP protocol and S7 communication allows multiple connections to a
single IP address (up to 64K connections). TSAPs uniquely identify these communication
end point connections to an IP address.
In the "Address Details" section of the Connection Parameters dialog, you define the TSAPs
to be used. The TSAP of a connection in the CPU is entered in the "Local TSAP" field. The
TSAP assigned for the connection in your partner CPU is entered under the "Partner TSAP"
field.
Port Numbers
With TCP and UDP protocols, the connection parameter configuration of the Local (active)
connection CPU must specify the remote IP address and port number of the Partner
(passive) connection CPU.
In the "Address Details" section of the Connection Parameters dialog, you define the ports to
be used. The port of a connection in the CPU is entered in the "Local Port" field. The port
assigned for the connection in your partner CPU is entered under the "Partner Port" field.
152
7.6 PROFIBUS
7.6 PROFIBUS
A PROFIBUS system uses a bus master to poll slave devices distributed in a multi-drop
fashion on an RS485 serial bus. A PROFIBUS slave is any peripheral device (I/O
transducer, valve, motor drive, or other measuring device) which processes information and
sends its output to the master. The slave forms a passive station on the network since it
does not have bus access rights, and can only acknowledge received messages, or send
response messages to the master upon request. All PROFIBUS slaves have the same
priority, and all network communication originates from the master.
A PROFIBUS master forms an "active station" on the network. PROFIBUS DP defines two
classes of masters. A class 1 master (normally a central programmable controller (PLC) or a
PC running special software) handles the normal communication or exchange of data with
the slaves assigned to it. A class 2 master (usually a configuration device, such as a laptop
or programming console used for commissioning, maintenance, or diagnostics purposes) is
a special device primarily used for commissioning slaves and for diagnostic purposes.
The S7-1200 is connected to a PROFIBUS network as a DP slave with the CM 1242-5
communication module. The CM 1242-5 (DP slave) module can be the communications
partner of DP V0/V1 masters. If you want to configure the module in a third-party system,
there is a GSD file available for the CM 1242-5 (DP slave) on the CD that ships with the
module and on Siemens Automation Customer Support
(http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=6G
K72425DX300XE0&caller=view) pages on the Internet.
In the figure below, the S7-1200 is a DP slave to an S7-300 controller:
The S7-1200 is connected to a PROFIBUS network as a DP master with the CM 1243-5

communication module. The CM 1243-5 (DP master) module can be the communications
partner of DP V0/V1 slaves. In the figure below, the S7-1200 is a master controlling an
ET200S DP slave:
153
7.6 PROFIBUS
If a CM 1242-5 and a CM 1243-5 are installed together, an S7-1200 can perform as both a
slave of a higher-level DP master system and a master of a lower-level DP slave system,
simultaneously:
For V4.0, you can configure a maximum of three PROFIBUS CMs per station, in which there
can be any combination of DP master or DP slave CMs. DP masters in a V3.0 or greater
CPU firmware implementation can each control a maximum of 32 slaves.
The configuration data of the PROFIBUS CMs is stored on the local CPU. This allows simple
replacement of these communications modules when necessary.
7.6.1 Communications services of the PROFIBUS CMs

The PROFIBUS CMs use the PROFIBUS DP-V1 protocol.
Types of communication with DP-V1

The following types of communication are available with DP-V1:
● Cyclic communication (CM 1242-5 and CM 1243-5)
Both PROFIBUS modules support cyclic communication for the transfer of process data
between DP slave and DP master.
Cyclic communication is handled by the operating system of the CPU. No software blocks
are required for this. The I/O data is read or written directly from/to the process image of
the CPU.
● Acyclic communication (CM 1243-5 only)
The DP master module also supports acyclic communication using software blocks:
– The "RALRM" instruction is available for interrupt handling.
– The "RDREC" and "WRREC" instructions are available for transferring configuration
and diagnostics data.
Functions not supported by the CM 1243-5: SYNC/FREEZE and Get_Master_Diag
154
7.6 PROFIBUS
Other communications services of the CM 1243-5

The CM 1243-5 DP master module supports the following additional communications
services:
● S7 communication
– PUT/GET services
The DP master functions as a client and server for queries from other S7 controllers or
PCs via PROFIBUS.
– PG/OP communication
The PG functions allow the downloading of configuration data and user programs from
a PG and the transfer of diagnostics data to a PG.
Possible communications partners for OP communication are HMI panels, SIMATIC
panel PCs with WinCC flexible or SCADA systems that support S7 communication.
7.6.2 Reference to the PROFIBUS CM user manuals
Further information
You can find detailed information on the PROFIBUS CMs in the manuals for the devices.
You can find these on the Internet in the pages of Siemens Industrial Automation Customer
Support under the following entry IDs:
● CM 1242-5 (http://support.automation.siemens.com/WW/view/en/49852105)
● CM 1243-5 (http://support.automation.siemens.com/WW/view/en/49851842)
155
7.6 PROFIBUS
7.6.3 Adding the CM 1243-5 (DP master) module and a DP slave

In the "Devices and networks" portal, use the hardware catalog to add PROFIBUS modules
to the CPU. These modules are connected to the left side of the CPU. To insert a module
into the hardware configuration, select the module in the hardware catalog and either
double-click or drag the module to the highlighted slot.
Table 7- 7 Adding a PROFIBUS CM 1243-5 (DP master) module to the device configuration

CM 1243-5
(DP mas-
ter)
Use the hardware catalog to add DP slaves as well. For example, to add an ET200 S DP
slave, in the Hardware Catalog, expand the following containers:
● Distributed I/O
● ET200 S
● Interface modules
● PROFIBUS
Next, select "6ES7 151-1BA02-0AB0" (IM151-1 HF) from the list of part numbers, and add
the ET200 S DP slave as shown in the figure below.
Table 7- 8 Adding an ET200 S DP slave to the device configuration
Insert the DP slave Result
156
7.6 PROFIBUS
7.6.4 Assigning PROFIBUS addresses to the CM 1243-5 module and DP slave
Configuring the PROFIBUS interface

After you configure logical network connections between two PROFIBUS devices, you can
configure parameters for the PROFIBUS interfaces. To do so, click the purple PROFIBUS
box on the CM 1243-5 module, and the "Properties" tab in the inspector window displays the
PROFIBUS interface. The DP slave PROFIBUS interface is configured in the same manner.
Table 7- 9 Configuring the CM 1243-5 (DP master) module and ET200 S DP slave PROFIBUS in-
terfaces
CM 1243-5 (DP master) module ET200 S DP slave
① PROFIBUS port
Assigning the PROFIBUS address

In a PROFIBUS network, each device is assigned a PROFIBUS address. This address can
range from 0 through 127, with the following exceptions:
● Address 0: Reserved for network configuration and/or programming tools attached to the
bus
● Address 1: Reserved by Siemens for the first master
● Address 126: Reserved for devices from the factory that do not have a switch setting and
must be re-addressed through the network
● Address 127: Reserved for broadcast messages to all devices on the network and may
not be assigned to operational devices
Thus, the addresses that may be used for PROFIBUS operational devices are 2 through
125.
157
7.6 PROFIBUS
In the Properties window, select the "PROFIBUS address" configuration entry. STEP 7
displays the PROFIBUS address configuration dialog, which is used to assign the
PROFIBUS address of the device.
Table 7- 10 Parameters for the PROFIBUS address
Parameter Description
Subnet Name of the Subnet to which the device is connected. Click the "Add new subnet" button to create a
new subnet. "Not connected" is the default. Two connection types are possible:
• The "Not connected" default provides a local connection.
• A subnet is required when your network has two or more devices.
Parameters Address Assigned PROFIBUS address for the device
Highest address The highest PROFIBUS address is based on the active stations on the
PROFIBUS (for example, DP master). Passive DP slaves independently
have PROFIBUS addresses from 1 to 125 even if the highest PROFIBUS
address is set to 15, for example. The highest PROFIBUS address is rele-
vant for token forwarding (forwarding of the send rights), and the token is
only forwarded to active stations. Specifying the highest PROFIBUS ad-
dress optimizes the bus.
Transmission rate Transmission rate of the configured PROFIBUS network: The PROFIBUS
transmission rates range from 9.6 Kbits/sec to 12 Mbits/sec. The transmis-
sion rate setting depends on the properties of the PROFIBUS nodes being
used. The transmission rate should not be greater than the rate supported
by the slowest node.
The transmission rate is normally set for the master on the PROFIBUS
network, with all DP slaves automatically using that same transmission rate
(auto-baud).
158
7.7 AS-i
7.7 AS-i
The S7-1200 AS-i master CM 1243-2 allows the attachment of an AS-i network to an S7-
1200 CPU.
The actuator/sensor interface, or AS-i, is a single master network connection system for the
lowest level in automation systems. The CM 1243-2 serves as the AS-i master for the
network. Using a single AS-i cable, sensors and actuators (AS-i slave devices) can be
connected to the CPU through the CM 1243-2. The CM 1243-2 handles all AS-i network
coordination and relays data and status information from the actuators and sensors to the
CPU through the I/O addresses assigned to the CM 1243-2. You can access binary or
analog values depending on the slave type. The AS-i slaves are the input and output
channels of the AS-i system and are only active when called by the CM 1243-2.
In the figure below, the S7-1200 is an AS-i master controlling AS-i I/O module digital/analog
slave devices.
159
7.7 AS-i
7.7.1 Adding the AS-i master CM 1243-2 and AS-i slave

Use the hardware catalog to add AS-i master CM1243-2 modules to the CPU. These
modules are connected to the left side of the CPU, and a maximum of three AS-i master
CM1243-2 modules can be used. To insert a module into the hardware configuration, select
the module in the hardware catalog and either double-click or drag the module to the
highlighted slot.
Table 7- 11 Adding an AS-i master CM1243-2 module to the device configuration

CM 1243-2
AS-i Mas-
ter
Use the hardware catalog to add AS-i slaves as well. For example, to add an "I/O module,
compact, digital, input" slave, in the Hardware Catalog, expand the following containers:
● Field devices
● AS-Interface slaves
Next, select "3RG9 001-0AA00" (AS-i SM-U, 4DI) from the list of part numbers, and add the
"I/O module, compact, digital, input" slave as shown in the figure below.
Table 7- 12 Adding an AS-i slave to the device configuration
Insert the AS-i slave Result
160
7.7 AS-i
7.7.2 Assigning an AS-i address to an AS-i slave
Configuring the AS-i slave interface

To configure parameters for the AS-i interface, click the yellow AS-i box on the AS-i slave,
and the "Properties" tab in the inspector window displays the AS-i interface.
① AS-i port
161
7.7 AS-i
Assigning the AS-i slave address

In an AS-i network, each device is assigned an AS-i slave address. This address can range
from 0 through 31; however, address 0 is reserved only for new slave devices. The slave
addresses are 1(A or B) to 31(A or B) for a total of up to 62 slave devices.
"Standard" AS-i devices use the entire address, having a number address without the A or B
designation. "A/B node" AS-i devices use the A or B portion of each address, enabling each
of the 31 addresses to be used twice. The address space range is 1A to 31A plus 1B to 31B.
Any address in the range of 1 - 31 can be assigned to an AS-i slave device; in other words, it
does not matter whether the slaves begin with address 21 or whether the first slave is
actually given the address 1.
In the example below, three AS-i devices have been addressed as "1" (a standard type
device), "2A" (an A/B node type device), and "3" (a standard type device):
① AS-i slave address 1; Device: AS-i SM-U, 4DI; article number: 3RG9 001-0AA00
② AS-i slave address 2A; Device: AS-i 8WD44, 3DO, A/B; article number: 8WD4 428-0BD
③ AS-i slave address 3; Device: AS-i SM-U, 2DI/2DO; article number: 3RG9 001-0AC00
162
7.7 AS-i
Enter the AS-i slave address here:
Table 7- 13 Parameters for the AS-i interface
Parameter Description
Network Name of the network to which the device is connected
Address(es) Assigned AS-i address for the slave device in range of 1(A or B) to 31(A or B) for a total of up to 62
slave devices
163
7.8 S7 communication
7.8.1 GET and PUT instructions

You can use the GET and PUT instructions to communicate with S7 CPUs through
PROFINET and PROFIBUS connections. This is only possible if the "Permit access with
PUT/GET communication" function is activated for the partner CPU in the "Protection"
property of the local CPU properties:
● Accessing data in a remote CPU: An S7-1200 CPU can only use absolute addresses in
the ADDR_x input field to address variables of remote CPUs (S7-200/300/400/1200).
● Accessing data in a standard DB: An S7-1200 CPU can only use absolute addresses in
the ADDR_x input field to address DB variables in a standard DB of a remote S7 CPU.
● Accessing data in an optimized DB: An S7-1200 CPU cannot access DB variables in an
optimized DB of a remote S7-1200 CPU.
● Accessing data in a local CPU: An S7-1200 CPU can use either absolute or symbolic
addresses as inputs to the RD_x or SD_x input fields of the GET or PUT instruction,
respectively.
STEP 7 automatically creates the DB when you insert the instruction.
Note
To ensure data consistency, always evaluate when the operation has been completed
(NDR = 1 for GET, or DONE = 1 for PUT) before accessing the data or initiating another
read or write operation.
Note
V4.0 CPU program GET/PUT operation is not automatically enabled
A V3.0 CPU program GET/PUT operation is automatically enabled in a V4.0 CPU.
However, a V4.0 CPU program GET/PUT operation in a V4.0 CPU is not automatically
enabled. You must go the CPU "Device configuration", inspector window "Properties"tab,
"Protection" property to enable GET/PUT access (Page 87).
164
7.8.2 Creating an S7 connection
Connection mechanisms
To access remote connection partners with PUT/GET instructions, the user must also have
permission.
By default, the "Permit access with PUT/GET communication" option is not enabled. In this
case, read and write access to CPU data is only possible for communication connections
that require configuration or programming both for the local CPU and for the communication
partner. Access through BSEND/BRCV instructions is possible, for example.
Connections for which the local CPU is only a server (meaning that no
configuration/programming of the communication with the communication partner exists at
the local CPU), are therefore not possible during operation of the CPU, for example:
● PUT/GET, FETCH/WRITE or FTP access through communication modules
● PUT/GET access from other S7 CPUs
● HMI access through PUT/GET communication
If you want to allow access to CPU data from the client side, that is, you do not want to
restrict the communication services of the CPU, you can configure the access protection for
the S7-1200 CPU (Page 87) for this level of security.
Connection types
The connection type that you select creates a communication connection to a partner
station. The connection is set up, established, and automatically monitored.
In the Devices and Networks portal, use the "Network view" to create the network
connections between the devices in your project. First, click the "Connections" tab, and then
select the connection type with the dropdown, just to the right (for example, an S7
connection). Click the green (PROFINET) box on the first device, and drag a line to the
PROFINET box on the second device. Release the mouse button and your PROFINET
connection is joined.
Refer to "Creating a network connection" (Page 140) for more information.
Click the "Highlighted: Connection" button to access the "Properties" configuration dialog of
the communication instruction.
165
7.8.3 GET/PUT connection parameter assignment

The GET/PUT instructions connection parameter assignment is a user aid for configuring S7
CPU-CPU communication connections.
After inserting a GET or PUT block, the GET/PUT instructions connection parameter
assignment is started:
The inspector window displays the properties of the connection whenever you have selected
any part of the instruction. Specify the communication parameters in the "Configuration" tab
of the "Properties" for the communication instruction.
After inserting a GET or PUT block, the "Configuration" tab automatically appears and the
"Connection parameters" page is immediately shown. This page allows the user to configure
the necessary S7 connection and to configure the parameter "Connection ID" that is
referenced by the block parameter "ID". A "Block parameters" page allows the user to
configure additional block parameters.
Note
V4.0 CPU program GET/PUT operation is not automatically enabled
A V3.0 CPU program GET/PUT operation is automatically enabled in a V4.0 CPU.
However, a V4.0 CPU program GET/PUT operation in a V4.0 CPU is not automatically
enabled. You must go the CPU "Device configuration", inspector window "Properties"tab,
"Protection" property to enable GET/PUT access (Page 87).
166
7.9 GPRS
7.9 GPRS
7.9.1 Connection to a GSM network
IP-based WAN communication via GPRS

Using the CP 1242-7 communications processor, the S7-1200 can be connected to GSM
networks. The CP 1242-7 allows WAN communication from remote stations with a control
center and inter-station communication.
Inter-station communication is possible only via a GSM network. For communication
between a remote station and a control room, the control center must have a PC with
Internet access.
The CP 1242-7 supports the following services for communication via the GSM network:
● GPRS (General Packet Radio Service)
The packet-oriented service for data transmission "GPRS" is handled via the GSM
network.
● SMS (Short Message Service)
The CP 1242-7 can receive and send SMS messages. The communications partner can
be a mobile phone or an S7-1200.
The CP 1242-7 is suitable for use in industry worldwide and supports the following frequency
bands:
● 850 MHz
● 900 MHz
● 1,800 MHz
● 1,900 MHz
167
7.9 GPRS
Requirements
The equipment used in the stations or the control center depends on the particular
application.
● For communication with or via a central control room, the control center requires a PC
with Internet access.
● Apart from the station equipment, a remote S7-1200 station with a CP 1242-7 must meet
the following requirements to be able to communicate via the GSM network:
– A contract with a suitable GSM network provider
If GPRS is used, the contract must allow the use of the GPRS service.
If there is to be direct communication between stations only via the GSM network, the
GSM network provider must assign a fixed IP address to the CPs. In this case,
communication between stations is not via the control center.
– The SIM card belonging to the contract
The SIM card is inserted in the CP 1242-7.
– Local availability of a GSM network in the range of the station
168
7.9 GPRS
7.9.2 Applications of the CP 1242-7

The CP 1242-7 can be used for the following applications:
Telecontrol applications
● Sending messages by SMS
Via the CP 1242-7, the CPU of a remote S7-1200 station can receive SMS messages
from the GSM network or send messages by SMS to a configured mobile phone or an
S7-1200.
● Communication with a control center
Remote S7-1200 stations communicate via the GSM network and the Internet with a
telecontrol server in the master station. For data transfer using GPRS, the
"TELECONTROL SERVER BASIC" application is installed on the telecontrol server in the
master station. The telecontrol server communicates with a higher-level central control
system using the integrated OPC server function.
● Communication between S7-1200 stations via a GSM network
Communication between remote stations with a CP 1242-7 can be handled in two
different ways:
– Inter-station communication via a master station
In this configuration, a permanent secure connection between S7-1200 stations that
communicate with each other and the telecontrol server is established in the master
station. Communication between the stations is via the telecontrol server. The
CP 1242-7 operates in "Telecontrol" mode.
– Direct communication between the stations
For direct communication between stations without the detour via the master station,
SIM cards with a fixed IP address are used that allow the stations to address each
other directly. The possible communications services and security functions (for
example VPN) depend on what is offered by the network provider. The CP 1242-7
operates in "GPRS direct" mode.
TeleService via GPRS

A TeleService connection can be established between an engineering station with STEP 7
and a remote S7-1200 station with a CP 1242-7 via the GSM network and the Internet. The
connection runs from the engineering station via a telecontrol server or a TeleService
gateway that acts as an intermediary forwarding frames and establishing the authorization.
These PCs use the functions of the "TELECONTROL SERVER BASIC" application.
You can use the TeleService connection for the following purposes:
● Downloading configuration or program data from the STEP 7 project to the station
● Querying diagnostics data on the station
169
7.9 GPRS
7.9.3 Other properties of the CP-1242-7
Other services and functions of the CP 1242-7

● Time-of-day synchronization of the CP via the Internet
You can set the time on the CP as follows:
– In "Telecontrol" mode, the time of day is transferred by the telecontrol server. The CP
uses this to set its time.
– In "GPRS direct" mode, the CP can request the time using SNTP.
To synchronize the CPU time, you can read out the current time from the CP using a
block.
● Interim buffering of messages to be sent if there are connection problems
● Increased availability thanks to the option of connecting to a substitute telecontrol server
● Optimized data volume (temporary connection)
As an alternative to a permanent connection to the telecontrol server, the CP can be
configured in STEP 7 with a temporary connection to the telecontrol server. In this case,
a connection to the telecontrol server is established only when required.
● Logging the volume of data
The volumes of data transferred are logged and can be evaluated for specific purposes.
170
7.9 GPRS
7.9.4 Configuration and electrical connections
Configuration and module replacement

To configure the module, the following configuration tool is required:
STEP 7 version V11.0 SP1 or higher
For STEP 7 V11.0 SP1, you also require support package "CP 1242-7" (HSP0003001).
For process data transfer using GPRS, use the telecontrol communications instructions in
the user program of the station.
The configuration data of the CP 1242-7 is stored on the local CPU. This allows simple
replacement of the CP when necessary.
You can insert up to three modules of the CP 1242-7 type per S7-1200. This, for example,
allows redundant communications paths to be established.
Electrical connections
● Power supply of the CP 1242-7
The CP has a separate connection for the external 24 VDC power supply.
● Wireless interface for the GSM network
An extra antenna is required for GSM communication. This is connected via the SMA
socket of the CP.
7.9.5 Further information
Further information
The CP 1242-7 manual contains detailed information. You will find this on the Internet on the
pages of Siemens Industrial Automation Customer Support under the following entry ID:
45605894 (http://support.automation.siemens.com/WW/view/en/45605894)
171
7.9 GPRS
7.9.6 Accessories
The ANT794-4MR GSM/GPRS antenna

The following antennas are available for use in GSM/GPRS networks and can be installed
both indoors and outdoors:
● Quadband antenna ANT794-4MR
Short name Order no. Explanation

ANT794-4MR 6NH9 860-1AA00 Quadband antenna (900, 1800/1900 MHz, UMTS);
weatherproof for indoor and outdoor areas; 5 m
connecting cable connected permanently to the
antenna; SMA connector, including installation
bracket, screws, wall plugs
● Flat antenna ANT794-3M
Short name Order no. Explanation

ANT794-3M 6NH9 870-1AA00 Flat antenna (900, 1800/1900 MHz); weatherproof
for indoor and outdoor areas; 1.2 m connecting cable
connected permanently to the antenna; SMA con-
nector, including adhesive pad, screws mounting
possible
The antennas must be ordered separately.
172
7.9 GPRS
7.9.7 Reference to GSM antenna manual
Further information
You will find detailed information in the device manual. You will find this on the Internet on
the pages of Siemens Industrial Automation Customer Support under the following entry ID:
23119005 (http://support.automation.siemens.com/WW/view/en/23119005)
7.9.8 Configuration examples for telecontrol

Below, you will find several configuration examples for stations with a CP 1242-7.
Sending messages by SMS
A SIMATIC S7-1200 with a CP 1242-7 can send messages by SMS to a mobile phone or a
configured S7-1200 station.
173
7.9 GPRS
Telecontrol by a control center
Figure 7-1 Communication between S7-1200 stations and a control center
In telecontrol applications, SIMATIC S7-1200 stations with a CP 1242-7 communicate with a

control center via the GSM network and the Internet. The "TELECONTROL SERVER
BASIC" (TCSB) application is installed on the telecontrol server in the master station. This
results in the following use cases:
● Telecontrol communication between station and control center
In this use case, data from the field is sent by the stations to the telecontrol server in the
master station via the GSM network and Internet. The telecontrol server is used to
monitor remote stations.
● Communication between a station and a control room with OPC client
As in the first case, the stations communicate with the telecontrol server. Using its
integrated OPC server, the telecontrol server exchanges data with the OPC client of the
control room.
The OPC client and telecontrol server can be located on a single computer, for example
when TCSB is installed on a control center computer with WinCC.
● Inter-station communication via a control center
Inter-station communication is possible with S7 stations equipped with a CP 1242-7.
To allow inter-station communication, the telecontrol server forwards the messages of the
sending station to the receiving station.
174
7.9 GPRS
Direct communication between stations
Figure 7-2 Direct communication between two S7-1200 stations
In this configuration, two SIMATIC S7-1200 stations communicate directly with each other
using the CP 1242-7 via the GSM network. Each CP 1242-7 has a fixed IP address. The
relevant service of the GSM network provider must allow this.
TeleService via GPRS

In TeleService via GPRS, an engineering station on which STEP 7 is installed communicates
via the GSM network and the Internet with the CP 1242-7 in the S7-1200.
Since a firewall is normally closed for connection requests from the outside, a switching
station between the remote station and the engineering station is required. This switching
station can be a telecontrol server or, if there is no telecontrol server in the configuration, a
TeleService gateway.
175
7.9 GPRS
TeleService with telecontrol server

The connection runs via the telecontrol server.
● The engineering station and telecontrol server are connected via the Intranet (LAN) or
Internet.
● The telecontrol server and remote station are connected via the Internet and via the GSM
network.
The engineering station and telecontrol server can also be the same computer; in other
words, STEP 7 and TCSB are installed on the same computer.
Figure 7-3 TeleService via GPRS in a configuration with telecontrol server
176
7.9 GPRS
TeleService without a telecontrol server

The connection runs via the TeleService gateway.
The connection between the engineering station and the TeleService gateway can be local
via a LAN or via the Internet.
Figure 7-4 TeleService via GPRS in a configuration with TeleService gateway
177
7.10 PtP, USS, and Modbus communication protocols
7.10.1 Point-to-point communication

The CPU supports the following Point-to-Point communication (PtP) for character-based
serial protocols:
● PtP (Page 185)
● USS (Page 186)
● Modbus (Page 188)
PtP provides maximum freedom and flexibility, but requires extensive implementation in the
user program.
PtP enables a wide variety of possibilities:

• The ability to send information directly to an external
device such as a printer
• The ability to receive information from other devices
such as barcode readers, RFID readers, third-party
camera or vision systems, and many other types of
devices
• The ability to exchange information, sending and
receiving data, with other devices such as GPS
devices, third-party camera or vision systems, radio
modems, and many more
This type of PtP communication is serial communica-
tion that uses standard UARTs to support a variety of
baud rates and parity options. The RS232 and
RS422/485 communication modules (CM 1241) and
the RS485 communication board (CB 1241) provide
the electrical interfaces for performing the PtP commu-
nications.
178
PtP over PROFIBUS or PROFINET

Version V4.1 of the S7-1200 CPU together with STEP 7 V13 SP1 extends the capability of
PtP to use a PROFINET or PROFIBUS distributed I/O rack to communicate to various
devices (RFID readers, GPS device, and others):
● PROFINET (Page 147): You connect the Ethernet interface of the S7-1200 CPU to a
PROFINET interface module. PtP communication modules in the rack with the interface
module can then provide serial communications to the PtP devices.
● PROFIBUS (Page 157): You insert a PROFIBUS communication module in the left side
of the rack with the S7-1200 CPU. You connect the PROFIBUS communication module
to a rack containing a PROFIBUS interface module. PtP communication modules in the
rack with the interface module can then provide serial communications to the PtP
devices.
For this reason, the S7-1200 supports two sets of PtP instructions:
● Legacy point-to-point instructions: These instructions existed prior to version V4.0 of the
S7-1200 and only work with serial communications using a CM 1241 communication
module or CB 1241 communication board.
● Point-to-point instructions (Page 185): These instructions provide all of the functionaity of
the legacy instructions, plus the ability to connect to PROFINET and PROFIBUS
distributed I/O. The point-to-point instructions allow you to configure the communications
between the PtP communication modules in the distributed I/O rack and the PtP devices.
Note
With version V4.1 of the S7-1200, you can use the point-to-point instructions for all types of
point-to-point communication: serial, serial over PROFINET, and serial over PROFIBUS.
STEP 7 provides the legacy point-to-point instructions only to support existing programs. The
legacy instructions still function, however, with V4.1 CPUs as well as V4.0 and earlier CPUs.
You do not have to convert prior programs from one set of instructions to the other.
179
7.10.2 Using the serial communication interfaces

Two communication modules (CMs) and one communication board (CB) provide the
interface for PtP communications:
● CM 1241 RS232 (Page 426)
● CM 1241 RS422/485 (Page 425)
● CB 1241 RS485 (Page 423)
You can connect up to three CMs (of any type) plus a CB for a total of four communication
interfaces. Install the CM to the left of the CPU or another CM. Install the CB on the front of
the CPU. Refer to the installation guidelines (Page 19) for information on module installation
and removal.
The serial communication interfaces have the following characteristics:
● Have an isolated port
● Support Point-to-Point protocols
● Are configured and programmed through the point-to-point communication processor
instructions
● Display transmit and receive activity by means of LEDs
● Display a diagnostic LED (CMs only)
● Are powered by the CPU: No external power connection is needed.
Refer to the technical specifications for communication interfaces (Page 414).
LED indicators
The communication modules have three LED indicators:
● Diagnostic LED (DIAG): This LED flashes red until it is addressed by the CPU. After the
CPU powers up, it checks for CMs and addresses them. The diagnostic LED begins to
flash green. This means that the CPU has addressed the CM, but has not yet provided
the configuration to it. The CPU downloads the configuration to the configured CMs when
the program is downloaded to the CPU. After a download to the CPU, the diagnostic LED
on the communication module should be a steady green.
● Transmit LED (Tx): The transmit LED illuminates when data is being transmitted out the
communication port.
● Receive LED (Rx): This LED illuminates when data is being received by the
communication port.
The communication board provides transmit (TxD) and receive (RxD) LEDs. It has no
diagnostic LED.
180
7.10.3 PtP instructions

The Port_Config, Send_Config, and Receive_Config instructions allow you to change the
configuration from your user program.
● Port_Config changes the port parameters such as baud rate.
● Send_Config changes the configuration of serial transmission parameters.
● Receive_Config changes the configuration of serial receiver parameters in a
communication port. This instruction configures the conditions that signal the start and
end of a received message. Messages that satisfy these conditions will be received by
the Receive_P2P instruction.
The dynamic configuration changes are not permanently stored in the CPU. After a power
cycle, the initial static configuration from the device configuration will be used.
The Send_P2P, Receive_P2P, and Receive_Reset instructions control the PtP
communication:
● Send_P2P transfers the specified buffer to the CM or CB. The CPU continues to execute
the user program while the module sends the data at the specified baud rate.
● Receive_P2P checks for messages that have been received in the CM or CB. If a
message is available, it will be transferred to the CPU.
● Receive_Reset resets the receive buffer.
Each CM or CB can buffer up to a maximum of 1K bytes. This buffer can be allocated across
multiple received messages.
The Signal_Set and Signal_Get instructions are valid only for the RS232 CM. Use these
instructions to read or set the RS232 communication signals.
The Get_Features and Set_Features instructions enable the program to read and set module
features.
181
7.10.4 USS instructions

S7-1200 supports the USS protocol and provides instructions that are specifically designed
for communicating with drives over the RS485 port of a CM or a CB. You can control the
physical drive and the read/write drive parameters with the USS instructions. Each RS485
CM or CB supports a maximum of 16 drives.
● The USS_Port_Scan instruction handles actual communication between the CPU and all
the drives attached to one CM or CB. Insert a different USS_Port_Scan instruction for
each CM or CB in your application. Ensure that the user program executes the
USS_Port_Scan instruction fast enough to prevent a communication timeout by the drive.
Use the USS_Port_Scan instruction in a program cycle or any interrupt OB.
● The USS_Drive_Control instruction accesses a specified drive on the USS network. The
input and output parameters of the USS_Drive_Control instruction are the status and
controls for the drive. If there are 16 drives on the network, your program must have at
least 16 USS_Drive_Control instructions, with one instruction for each drive.
Ensure that the CPU executes the USS_Drive_Control instruction at the rate that is
required to control the functions of the drive. Use the USS_Drive_Control instruction only
in a program cycle OB.
● The USS_Read_Param and USS_Write_Param instructions read and write the operating
parameters of the remote drive. These parameters control the internal operation of the
drive. See the drive manual for the definition of these parameters.
Your program can contain as many of these instructions as necessary. However, only
one read or write request can be active for any one drive at any given time. Use the
USS_Read_Param and USS_Write_Param instructions only in a program cycle OB.
An instance DB contains temporary storage and buffers for all of the drives on the USS
network connected to each CM or CB. The USS instructions for a drive use the instance DB
to share the information.
182
Calculating the time required for communicating with the drive

Communications with the drive are asynchronous to the CPU scan. The CPU typically
completes several scans before one drive communications transaction is completed.
The USS_Port_Scan interval is the time required for one drive transaction. The table below
shows the minimum USS_Port_Scan interval for each communication baud rate. Calling the
USS_Port_Scan function more frequently than the USS_Port_Scan interval will not increase
the number of transactions. The drive timeout interval is the amount of time that might be
taken for a transaction, if communications errors caused 3 tries to complete the transaction.
By default, the USS protocol library automatically does up to 2 retries on each transaction.
Table 7- 14 Calculating the time requirements
Baud rate Calculated minimum USS_Port_Scan call Drive message interval timeout per
Interval (milliseconds) drive (milliseconds)
1200 790 2370
2400 405 1215
4800 212.5 638
9600 116.3 349
19200 68.2 205
38400 44.1 133
57600 36.1 109
115200 28.1 85
183
7.10.5 Modbus instructions

The CPU supports Modbus communication over different networks:
● Modbus RTU (Remote Terminal Unit) is a standard network communication protocol that
uses the RS232 or RS485 electrical connection for serial data transfer between Modbus
network devices. You can add PtP (Point to Point) network ports to a CPU with a RS232
or RS485 CM or a RS485 CB.
Modbus RTU uses a master/slave network where all communications are initiated by a
single Master device and slaves can only respond to a master’s request. The master
sends a request to one slave address and only that slave address responds to the
command.
● Modbus TCP (Transmission Control Protocol) is a standard network communication
protocol that uses the PROFINET connector on the CPU for TCP/IP communication. No
additional communication hardware module is required.
Modbus TCP uses client-server connections as a Modbus communication path. Multiple
client-server connections may exist, in addition to the connection between STEP 7 and
the CPU. Mixed client and server connections are supported up to the maximum number
of connections allowed by the CPU. Each MB_SERVER connection must use a unique
instance DB and IP port number. Only 1 connection per IP port is supported. Each
MB_SERVER (with its unique instance DB and IP port) must be executed individually for
each connection.
WARNING
If an attacker can physically access your networks, the attacker can possibly read and
write data.
The TIA Portal, the CPU, and HMIs (except HMIs using GET/PUT) use secure
communication that protects against replay and "man-in-the-middle" attacks. Once
communication is enabled, the exchange of signed messages takes place in clear text
which allows an attacker to read data, but protects against unauthorized writing of data.
The TIA Portal, not the communication process, encrypts the data of know-how
protected blocks.
All other forms of communication (I/O exchange through PROFIBUS, PROFINET, AS-i,
or other I/O bus, GET/PUT, T-Block, and communication modules (CM)) have no
security features. You must protect these forms of communication by limiting physical
access. If an attacker can physically access your networks utilizing these forms of
communication, the attacker can possibly read and write data.
For security information and recommendations, please see our "Operational Guidelines
for Industrial Security" on the Service and Support site:
www.industry.siemens.com/topics/global/en/industrial-
security/Documents/operational_guidelines_industrial_security_en.pdf
(http://www.industry.siemens.com/topics/global/en/industrial-
security/Documents/operational_guidelines_industrial_security_en.pdf)
Note
Modbus TCP will only operate correctly with CPU firmware release V1.02 or later. An
attempt to execute the Modbus instructions on an earlier firmware version will result in an
error.
184
Table 7- 15 Modbus instructions
Type of communication Instruction

Modbus RTU (RS232 or RS485) Modbus_Comm_Load: One execution of Modbus_Comm_Load is used to set up PtP
port parameters like baud rate, parity, and flow control. After the CPU port is config-
ured for the Modbus RTU protocol, it can only be used by either the Modbus_Master
or Modbus_Slave instructions.
Modbus_Master: The Modbus master instruction enables the CPU to act as a Mod-
bus RTU master device and communicate with one or more Modbus slave devices.
Modbus_Slave: The Modbus slave instruction enables the CPU to act as a Modbus
RTU slave device and communicate with a Modbus master device.
Modbus TCP (PROFINET) MB_CLIENT: Make client-server TCP connection, send command message, receive
response, and control the disconnection from the server.
MB_SERVER: Connect to a Modbus TCP client upon request, receive Modbus mes-
sage, and send response.
The Modbus instructions do not use communication interrupt events to control the
communication process. Your program must poll the Modbus_Master / Modbus_Slave or
MB_CLIENT/ MB_SERVER instructions for transmit and receive complete conditions.
A Modbus TCP client (master) must control the client-server connection with the
DISCONNECT parameter. The basic Modbus client actions are shown below.
1. Initiate a connection to a particular server (slave) IP address and IP port number
2. Initiate client transmission of Modbus messages and receive the server responses
3. When required, initiate the disconnection of client and server to enable connection with a
different server.
185
186

Simatic: Easy Book

Uploaded by

Copyright:

Available Formats

Simatic: Easy Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Simatic: Easy Book

Uploaded by

Copyright:

Available Formats

Easy Book Preface

Introducing the powerful and

PLC concepts made easy 4

Programming made easy 6

The S7-1200 compact controller includes:

This manual describes the following products:

Documentation and information

Service and support

3.10 Create an HMI screen ............................................................................................................ 50

6.3.2 Comparator and Move instructions .......................................................................................108

7.9.6 Accessories .......................................................................................................................... 176

Table 1- 1 Comparing the CPU models

Table 1- 2 Blocks, timers, and counters supported by S7-1200

1.2 Expansion capability of the CPU

① Communication module (CM) or communication processor (CP)

1.3 S7-1200 modules

Table 1- 3 S7-1200 expansion modules

Type of module Description

① Status LEDs on the SB

Type of module Description

1.4 Basic HMI panels

1.5 Mounting dimensions and clearance requirements

Table 1- 4 Mounting dimensions (mm)

S7-1200 Devices Width A Width B Width C

Provide adequate clearance for cooling and wiring

① Side view ③ Vertical installation

1.6 New features

● New programming instructions:

New modules for the S7-1200

Exchanging your V3.0 CPU for a V4.1 CPU

2.1 Easy to insert instructions into your user program

2.2 Easy access to your favorite instructions from a toolbar

You can easily customize the

2.3 Easy to add inputs or outputs to LAD and FBD instructions

Some of the instructions allow you to create additional inputs or outputs.

2.4 Expandable instructions

2.5 Easy to change the operating mode of the CPU

2.6 Easy to modify the appearance and configuration of STEP 7

2.7 Project and global libraries for easy access

Each project has a project library for storing the objects to be

2.8 Easy to select a version of an instruction

Click the icon on the instruction tree task card

To change the version of the instruction, se-

2.9 Easy to drag and drop between editors

To help you perform tasks quickly and easily,

To display two editors at one time, use the

2.10 Changing the call type for a DB

STEP 7 allows you to easily create or change the associ-

The "Call options" dialog allows

2.11 Temporarily disconnecting devices from a network

Right-click the interface port of the network

2.12 Easy to virtually "unplug" modules without losing the configuration

STEP 7 provides a storage area for "un-

In the Start portal, click the

After creating the project, select the Devices &

Select the CPU to add to the project:

The Device view displays the

3.2 Create tags for the I/O of the CPU

With the device editor open, open a tag table.